Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase Order.exe

Overview

General Information

Sample Name:Purchase Order.exe
Analysis ID:527594
MD5:c7ac272d4cfd98c9d86bff3b6c3e89d8
SHA1:a6334818159cc0bad0a8ba8cc8204685bf5ba7e5
SHA256:443c27b78b0fa24ae1131834d0307fa6da57f1463695fc6480d0d3874d5dcf64
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Executable has a suspicious name (potential lure to open the executable)
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Purchase Order.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" MD5: C7AC272D4CFD98C9D86BFF3B6C3E89D8)
    • powershell.exe (PID: 4544 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6816 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmp4FFB.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Purchase Order.exe (PID: 3416 cmdline: C:\Users\user\Desktop\Purchase Order.exe MD5: C7AC272D4CFD98C9D86BFF3B6C3E89D8)
      • schtasks.exe (PID: 5280 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp65C6.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 7044 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6E05.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Purchase Order.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\Purchase Order.exe" 0 MD5: C7AC272D4CFD98C9D86BFF3B6C3E89D8)
    • powershell.exe (PID: 5684 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5712 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmpAF9F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Purchase Order.exe (PID: 5600 cmdline: C:\Users\user\Desktop\Purchase Order.exe MD5: C7AC272D4CFD98C9D86BFF3B6C3E89D8)
  • dhcpmon.exe (PID: 1440 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: C7AC272D4CFD98C9D86BFF3B6C3E89D8)
  • dhcpmon.exe (PID: 5248 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: C7AC272D4CFD98C9D86BFF3B6C3E89D8)
    • powershell.exe (PID: 4780 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6636 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmpB24F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 5980 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: C7AC272D4CFD98C9D86BFF3B6C3E89D8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 81 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      22.2.Purchase Order.exe.3b44c4d.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb184:$x1: NanoCore.ClientPluginHost
      • 0x24170:$x1: NanoCore.ClientPluginHost
      • 0xb1b1:$x2: IClientNetworkHost
      • 0x2419d:$x2: IClientNetworkHost
      22.2.Purchase Order.exe.3b44c4d.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xb184:$x2: NanoCore.ClientPluginHost
      • 0x24170:$x2: NanoCore.ClientPluginHost
      • 0xc25f:$s4: PipeCreated
      • 0x2524b:$s4: PipeCreated
      • 0xb19e:$s5: IClientLoggingHost
      • 0x2418a:$s5: IClientLoggingHost
      22.2.Purchase Order.exe.3b44c4d.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        22.2.Purchase Order.exe.3b40624.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0x28799:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        • 0x287c6:$x2: IClientNetworkHost
        22.2.Purchase Order.exe.3b40624.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xf7ad:$x2: NanoCore.ClientPluginHost
        • 0x28799:$x2: NanoCore.ClientPluginHost
        • 0x10888:$s4: PipeCreated
        • 0x29874:$s4: PipeCreated
        • 0xf7c7:$s5: IClientLoggingHost
        • 0x287b3:$s5: IClientLoggingHost
        Click to see the 111 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Purchase Order.exe, ProcessId: 3416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Purchase Order.exe, ProcessId: 3416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Suspicius Add Task From User AppData TempShow sources
        Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmp4FFB.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmp4FFB.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order.exe" , ParentImage: C:\Users\user\Desktop\Purchase Order.exe, ParentProcessId: 6284, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmp4FFB.tmp, ProcessId: 6816
        Sigma detected: Powershell Defender ExclusionShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order.exe" , ParentImage: C:\Users\user\Desktop\Purchase Order.exe, ParentProcessId: 6284, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe, ProcessId: 4544
        Sigma detected: Non Interactive PowerShellShow sources
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Purchase Order.exe" , ParentImage: C:\Users\user\Desktop\Purchase Order.exe, ParentProcessId: 6284, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe, ProcessId: 4544
        Sigma detected: T1086 PowerShell ExecutionShow sources
        Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132821884866883736.4544.DefaultAppDomain.powershell

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Purchase Order.exe, ProcessId: 3416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Purchase Order.exe, ProcessId: 3416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 20%
        Source: C:\Users\user\AppData\Roaming\HxuauFbNyB.exeReversingLabs: Detection: 20%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b44c4d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b40624.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.37bc150.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.371e600.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3aac150.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.371e600.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3efe600.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3f9c150.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3efe600.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3a0e600.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3a0e600.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.37bc150.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b3b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b40624.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3aac150.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3f9c150.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.763392801.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.737752237.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.756938060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.738310654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.737115458.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.740872002.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.738929649.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.763480570.0000000004029000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6284, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 3416, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 7052, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5248, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 5600, type: MEMORYSTR
        Source: 22.0.Purchase Order.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.2.Purchase Order.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.0.Purchase Order.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.0.Purchase Order.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.Purchase Order.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.2.Purchase Order.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.0.Purchase Order.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.Purchase Order.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.Purchase Order.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 22.0.Purchase Order.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.Purchase Order.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.0.Purchase Order.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: \??\C:\Windows\dll\System.pdb source: Purchase Order.exe, 00000009.00000003.743306809.0000000000D38000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49764 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49765 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49807 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49813 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49815 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49822 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49839 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49841 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49842 -> 185.140.53.160:6640
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49843 -> 185.140.53.160:6640
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: john23432.ddns.net
        Source: global trafficTCP traffic: 192.168.2.4:49763 -> 185.140.53.160:6640
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: Purchase Order.exe, 00000000.00000002.686415706.0000000002631000.00000004.00000001.sdmp, Purchase Order.exe, 0000000E.00000002.722519255.0000000002921000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: dhcpmon.exe, 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://www.chinhdo.com
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownDNS traffic detected: queries for: john23432.ddns.net
        Source: Purchase Order.exe, 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b44c4d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b40624.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.37bc150.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.371e600.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3aac150.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.371e600.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3efe600.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3f9c150.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3efe600.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3a0e600.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3a0e600.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.37bc150.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b3b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b40624.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3aac150.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3f9c150.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.763392801.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.737752237.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.756938060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.738310654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.737115458.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.740872002.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.738929649.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.763480570.0000000004029000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6284, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 3416, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 7052, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5248, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 5600, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 22.2.Purchase Order.exe.3b44c4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.Purchase Order.exe.3b40624.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Purchase Order.exe.37bc150.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Purchase Order.exe.37bc150.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Purchase Order.exe.371e600.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Purchase Order.exe.371e600.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.Purchase Order.exe.3aac150.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.Purchase Order.exe.3aac150.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Purchase Order.exe.371e600.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Purchase Order.exe.371e600.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.dhcpmon.exe.3efe600.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.3efe600.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.3.Purchase Order.exe.4616216.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.3.Purchase Order.exe.463026d.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.dhcpmon.exe.3f9c150.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.3f9c150.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.dhcpmon.exe.3efe600.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.3efe600.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.Purchase Order.exe.3a0e600.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.Purchase Order.exe.3a0e600.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.Purchase Order.exe.3a0e600.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.Purchase Order.exe.3a0e600.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.Purchase Order.exe.2b59588.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.3.Purchase Order.exe.463026d.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Purchase Order.exe.37bc150.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Purchase Order.exe.37bc150.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.Purchase Order.exe.3b3b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.2.Purchase Order.exe.3b3b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.2.Purchase Order.exe.3b40624.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.Purchase Order.exe.3aac150.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.Purchase Order.exe.3aac150.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 22.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 22.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.dhcpmon.exe.3f9c150.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.3f9c150.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.3.Purchase Order.exe.462a841.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.3.Purchase Order.exe.4616216.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000002.763392801.0000000003021000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000000.737752237.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000000.737752237.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000002.756938060.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000002.756938060.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000000.738310654.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000000.738310654.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000000.737115458.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000000.737115458.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000002.740872002.0000000003AF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000000.738929649.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000001D.00000000.738929649.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000001D.00000002.763480570.0000000004029000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Purchase Order.exe PID: 6284, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Purchase Order.exe PID: 6284, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Purchase Order.exe PID: 3416, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Purchase Order.exe PID: 3416, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Purchase Order.exe PID: 7052, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Purchase Order.exe PID: 7052, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5248, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5248, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Purchase Order.exe PID: 5600, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Purchase Order.exe PID: 5600, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Purchase Order.exe
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: Purchase Order.exeStatic file information: Suspicious name
        Source: Purchase Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 22.2.Purchase Order.exe.3b44c4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.Purchase Order.exe.3b44c4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.2.Purchase Order.exe.3b40624.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.Purchase Order.exe.3b40624.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.Purchase Order.exe.37bc150.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Purchase Order.exe.37bc150.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Purchase Order.exe.371e600.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Purchase Order.exe.371e600.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.Purchase Order.exe.3aac150.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.Purchase Order.exe.3aac150.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.Purchase Order.exe.3aac150.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Purchase Order.exe.371e600.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Purchase Order.exe.371e600.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.Purchase Order.exe.371e600.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.dhcpmon.exe.3efe600.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.3efe600.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.3efe600.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.3.Purchase Order.exe.4616216.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.3.Purchase Order.exe.4616216.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.3.Purchase Order.exe.463026d.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.dhcpmon.exe.3f9c150.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.3f9c150.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.3f9c150.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.dhcpmon.exe.3efe600.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.3efe600.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.Purchase Order.exe.3a0e600.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.Purchase Order.exe.3a0e600.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.Purchase Order.exe.3a0e600.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.Purchase Order.exe.3a0e600.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.Purchase Order.exe.3a0e600.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.Purchase Order.exe.2b59588.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.Purchase Order.exe.2b59588.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.3.Purchase Order.exe.463026d.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.3.Purchase Order.exe.463026d.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.Purchase Order.exe.37bc150.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Purchase Order.exe.37bc150.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.Purchase Order.exe.37bc150.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.Purchase Order.exe.3b3b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.Purchase Order.exe.3b3b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.2.Purchase Order.exe.3b3b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 9.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.2.Purchase Order.exe.3b40624.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.2.Purchase Order.exe.3b40624.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.Purchase Order.exe.3aac150.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.Purchase Order.exe.3aac150.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 22.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 22.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 22.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.dhcpmon.exe.3f9c150.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.3f9c150.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.3.Purchase Order.exe.462a841.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.3.Purchase Order.exe.4616216.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000002.763392801.0000000003021000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000000.737752237.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000000.737752237.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000002.756938060.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000002.756938060.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000000.738310654.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000000.738310654.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000000.737115458.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000000.737115458.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000002.740872002.0000000003AF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000000.738929649.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000001D.00000000.738929649.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000001D.00000002.763480570.0000000004029000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Purchase Order.exe PID: 6284, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Purchase Order.exe PID: 6284, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Purchase Order.exe PID: 3416, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Purchase Order.exe PID: 3416, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Purchase Order.exe PID: 7052, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Purchase Order.exe PID: 7052, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5248, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5248, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Purchase Order.exe PID: 5600, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Purchase Order.exe PID: 5600, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00C2C9B40_2_00C2C9B4
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00C2EDB70_2_00C2EDB7
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00C2EE000_2_00C2EE00
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00C2EE100_2_00C2EE10
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_06D500400_2_06D50040
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_06D546400_2_06D54640
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_06D546300_2_06D54630
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_06D5842A0_2_06D5842A
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_06D548900_2_06D54890
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_06D548830_2_06D54883
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_06FE13480_2_06FE1348
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_084100400_2_08410040
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_084160F00_2_084160F0
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_084161000_2_08416100
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286E4809_2_0286E480
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286E4739_2_0286E473
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286BBD49_2_0286BBD4
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_05A2F93814_2_05A2F938
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_05A2004014_2_05A20040
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_05A2488314_2_05A24883
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_05A2489014_2_05A24890
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_05A2842A14_2_05A2842A
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_05A2463014_2_05A24630
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_05A2464014_2_05A24640
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_00CEC9B416_2_00CEC9B4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_00CEEDB716_2_00CEEDB7
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_00CEEE0016_2_00CEEE00
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_00CEEE1016_2_00CEEE10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02826EA816_2_02826EA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_02826E9916_2_02826E99
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_0693004016_2_06930040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_0693463016_2_06934630
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_0693464016_2_06934640
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_0693842A16_2_0693842A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_0693489016_2_06934890
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_0693488116_2_06934881
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_0103C9B421_2_0103C9B4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_0103EE0021_2_0103EE00
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_0103EE1021_2_0103EE10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_06EEF93821_2_06EEF938
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_06EE464021_2_06EE4640
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_06EE463021_2_06EE4630
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_06EE488121_2_06EE4881
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_06EE489021_2_06EE4890
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_0854004021_2_08540040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_085460F021_2_085460F0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_0854909A21_2_0854909A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_0854610021_2_08546100
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_0854918821_2_08549188
        Source: Purchase Order.exeBinary or memory string: OriginalFilename vs Purchase Order.exe
        Source: Purchase Order.exe, 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Purchase Order.exe
        Source: Purchase Order.exe, 00000000.00000002.688517547.0000000008400000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs Purchase Order.exe
        Source: Purchase Order.exeBinary or memory string: OriginalFilename vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000002.919553721.0000000000C7A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Purchase Order.exe
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Purchase Order.exe
        Source: Purchase Order.exeBinary or memory string: OriginalFilename vs Purchase Order.exe
        Source: Purchase Order.exe, 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Purchase Order.exe
        Source: Purchase Order.exe, 0000000E.00000002.722519255.0000000002921000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs Purchase Order.exe
        Source: Purchase Order.exe, 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Purchase Order.exe
        Source: Purchase Order.exe, 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Purchase Order.exe
        Source: Purchase Order.exe, 00000016.00000002.740872002.0000000003AF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Purchase Order.exe
        Source: Purchase Order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Purchase Order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Purchase Order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: HxuauFbNyB.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: HxuauFbNyB.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: HxuauFbNyB.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: HxuauFbNyB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Users\user\Desktop\Purchase Order.exeJump to behavior
        Source: Purchase Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Purchase Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmp4FFB.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe C:\Users\user\Desktop\Purchase Order.exe
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp65C6.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6E05.tmp
        Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe" 0
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmpAF9F.tmp
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe C:\Users\user\Desktop\Purchase Order.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmpB24F.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exeJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmp4FFB.tmpJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe C:\Users\user\Desktop\Purchase Order.exeJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp65C6.tmpJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6E05.tmpJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exeJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmpAF9F.tmpJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe C:\Users\user\Desktop\Purchase Order.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmpB24F.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\HxuauFbNyB.exeJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4FFB.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@33/23@16/2
        Source: C:\Users\user\Desktop\Purchase Order.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: 9.0.Purchase Order.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 9.0.Purchase Order.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 9.0.Purchase Order.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 9.0.Purchase Order.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 9.0.Purchase Order.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 9.0.Purchase Order.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 9.0.Purchase Order.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 9.0.Purchase Order.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 9.0.Purchase Order.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 9.0.Purchase Order.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 9.2.Purchase Order.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 9.2.Purchase Order.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Purchase Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4240:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\shTmYrzGjzRYvjeh
        Source: C:\Users\user\Desktop\Purchase Order.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{87f8d778-e6d4-41b4-9e4e-8b5587ce2cae}
        Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: 9.2.Purchase Order.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 9.2.Purchase Order.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 9.2.Purchase Order.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 9.0.Purchase Order.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 9.0.Purchase Order.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 9.0.Purchase Order.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 9.0.Purchase Order.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 9.0.Purchase Order.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 9.0.Purchase Order.exe.400000.12.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Purchase Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Purchase Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: \??\C:\Windows\dll\System.pdb source: Purchase Order.exe, 00000009.00000003.743306809.0000000000D38000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: Purchase Order.exe, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: HxuauFbNyB.exe.0.dr, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 0.2.Purchase Order.exe.260000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 0.0.Purchase Order.exe.260000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: dhcpmon.exe.9.dr, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.4a0000.11.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.2.Purchase Order.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.2.Purchase Order.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.4a0000.2.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.4a0000.13.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.4a0000.5.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.4a0000.1.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.4a0000.3.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.2.Purchase Order.exe.4a0000.1.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.4a0000.9.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.4a0000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.4a0000.7.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.0.Purchase Order.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.0.Purchase Order.exe.610000.0.unpack, Tetris/TetrisGame.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_00C2FE00 pushfd ; iretd 0_2_00C2FE02
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_06D59F41 push es; iretd 0_2_06D59F44
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_06FE0F30 push es; retf 0_2_06FE0F40
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 0_2_06FE40E5 push FFFFFF8Bh; iretd 0_2_06FE40E7
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286E0F0 push edx; iretd 9_2_0286E312
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286E349 push edx; iretd 9_2_0286E34A
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286E36F push edx; iretd 9_2_0286E372
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286E373 push edx; iretd 9_2_0286E37A
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286E0D8 push ecx; iretd 9_2_0286E0E2
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286E0E7 push ecx; iretd 9_2_0286E0EA
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286E0E3 push ecx; iretd 9_2_0286E0E6
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286E471 push ebx; iretd 9_2_0286E472
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_02868A61 push ss; iretd 9_2_02868A62
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_02868A70 push ss; iretd 9_2_02868B82
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286ED89 push esi; iretd 9_2_0286ED8A
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286EDB9 push esi; iretd 9_2_0286EDBA
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286EDEF push edi; iretd 9_2_0286EDF2
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286EDF7 push edi; iretd 9_2_0286EDFA
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286EDF3 push edi; iretd 9_2_0286EDF6
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_028693D9 push ds; iretd 9_2_028693DA
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_028696C7 push ds; iretd 9_2_028696CA
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_02869660 push ds; iretd 9_2_02869662
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_0286F798 pushad ; iretd 9_2_0286F79A
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_02867A80 push cs; iretd 9_2_02867C62
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 9_2_02867A71 push cs; iretd 9_2_02867A72
        Source: C:\Users\user\Desktop\Purchase Order.exeCode function: 14_2_06FA25C5 push FFFFFF8Bh; iretd 14_2_06FA25C7
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_04D23658 push eax; mov dword ptr [esp], ecx16_2_04D2365C
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_04D23648 push eax; mov dword ptr [esp], ecx16_2_04D2365C
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_06939E7A push es; ret 16_2_06939E90
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_06939FEA push es; iretd 16_2_06939FF4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 16_2_06939F06 push es; retf 16_2_06939F08
        Source: initial sampleStatic PE information: section name: .text entropy: 7.90563498094
        Source: initial sampleStatic PE information: section name: .text entropy: 7.90563498094
        Source: initial sampleStatic PE information: section name: .text entropy: 7.90563498094
        Source: 9.2.Purchase Order.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 9.2.Purchase Order.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 9.0.Purchase Order.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 9.0.Purchase Order.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 9.0.Purchase Order.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 9.0.Purchase Order.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 9.0.Purchase Order.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 9.0.Purchase Order.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 9.0.Purchase Order.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 9.0.Purchase Order.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 9.0.Purchase Order.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 9.0.Purchase Order.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\Purchase Order.exeFile created: C:\Users\user\AppData\Roaming\HxuauFbNyB.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmp4FFB.tmp

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Purchase Order.exeFile opened: C:\Users\user\Desktop\Purchase Order.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 21.2.dhcpmon.exe.2e3a544.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.265a520.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.dhcpmon.exe.28aa70c.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.294a520.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.686415706.0000000002631000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.715620256.0000000002881000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.722519255.0000000002921000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6284, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 7052, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1440, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5248, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Purchase Order.exe, 00000000.00000002.686415706.0000000002631000.00000004.00000001.sdmp, Purchase Order.exe, 0000000E.00000002.722519255.0000000002921000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.715620256.0000000002881000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: Purchase Order.exe, 00000000.00000002.686415706.0000000002631000.00000004.00000001.sdmp, Purchase Order.exe, 0000000E.00000002.722519255.0000000002921000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.715620256.0000000002881000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\Purchase Order.exe TID: 5204Thread sleep time: -32071s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exe TID: 5972Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2460Thread sleep time: -6456360425798339s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exe TID: 6588Thread sleep time: -12912720851596678s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exe TID: 7152Thread sleep time: -40574s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1680Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1472Thread sleep time: -34280s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4768Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6956Thread sleep time: -7378697629483816s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5236Thread sleep time: -30064s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6992Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\Purchase Order.exe TID: 492Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1688Thread sleep time: -3689348814741908s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6213Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2122Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeWindow / User API: threadDelayed 5051Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeWindow / User API: threadDelayed 4497Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeWindow / User API: foregroundWindowGot 673Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeWindow / User API: foregroundWindowGot 520Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5779
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2543
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6400
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1902
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 32071Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 40574Jump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 34280
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 30064
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Purchase Order.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: dhcpmon.exe, 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
        Source: dhcpmon.exe, 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 00000015.00000002.741280282.000000000110C000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: dhcpmon.exe, 00000015.00000002.741280282.000000000110C000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b}y
        Source: Purchase Order.exe, 00000009.00000003.744958562.0000000000D00000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: dhcpmon.exe, 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Purchase Order.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Purchase Order.exeMemory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeMemory written: C:\Users\user\Desktop\Purchase Order.exe base: 400000 value starts with: 4D5AJump to behavior
        Adds a directory exclusion to Windows DefenderShow sources
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exeJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exeJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmp4FFB.tmpJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe C:\Users\user\Desktop\Purchase Order.exeJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp65C6.tmpJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6E05.tmpJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exeJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmpAF9F.tmpJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeProcess created: C:\Users\user\Desktop\Purchase Order.exe C:\Users\user\Desktop\Purchase Order.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmpB24F.tmp
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: Purchase Order.exe, 00000009.00000002.920051186.00000000012B0000.00000002.00020000.sdmpBinary or memory string: Program Manager
        Source: Purchase Order.exe, 00000009.00000002.920051186.00000000012B0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: Purchase Order.exe, 00000009.00000002.920051186.00000000012B0000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: Purchase Order.exe, 00000009.00000002.920051186.00000000012B0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Purchase Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
        Source: C:\Users\user\Desktop\Purchase Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Purchase Order.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b44c4d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b40624.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.37bc150.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.371e600.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3aac150.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.371e600.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3efe600.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3f9c150.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3efe600.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3a0e600.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3a0e600.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.37bc150.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b3b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b40624.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3aac150.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3f9c150.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.763392801.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.737752237.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.756938060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.738310654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.737115458.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.740872002.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.738929649.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.763480570.0000000004029000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6284, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 3416, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 7052, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5248, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 5600, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Purchase Order.exe, 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Purchase Order.exe, 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: Purchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: Purchase Order.exe, 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Purchase Order.exe, 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Purchase Order.exe, 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b44c4d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b40624.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.37bc150.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.371e600.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3aac150.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.371e600.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3efe600.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3f9c150.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3efe600.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3a0e600.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3a0e600.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Purchase Order.exe.37bc150.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b3b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.0.Purchase Order.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.2.Purchase Order.exe.3b40624.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.Purchase Order.exe.3aac150.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 22.0.Purchase Order.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.3f9c150.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.763392801.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.737752237.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.756938060.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.738310654.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.737115458.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000002.740872002.0000000003AF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000000.738929649.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.763480570.0000000004029000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 6284, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 3416, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 7052, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5248, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: Purchase Order.exe PID: 5600, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Masquerading2Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 527594 Sample: Purchase Order.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 64 john23432.ddns.net 2->64 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 13 other signatures 2->76 9 Purchase Order.exe 7 2->9         started        13 Purchase Order.exe 4 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 58 C:\Users\user\AppData\...\HxuauFbNyB.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\Local\...\tmp4FFB.tmp, XML 9->60 dropped 62 C:\Users\user\...\Purchase Order.exe.log, ASCII 9->62 dropped 80 Adds a directory exclusion to Windows Defender 9->80 82 Injects a PE file into a foreign processes 9->82 19 Purchase Order.exe 1 15 9->19         started        24 powershell.exe 25 9->24         started        26 schtasks.exe 1 9->26         started        28 powershell.exe 13->28         started        30 schtasks.exe 13->30         started        32 Purchase Order.exe 13->32         started        34 powershell.exe 15->34         started        signatures6 process7 dnsIp8 66 john23432.ddns.net 185.140.53.160, 49763, 49764, 49765 DAVID_CRAIGGG Sweden 19->66 68 192.168.2.1 unknown unknown 19->68 52 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Roaming\...\run.dat, data 19->54 dropped 56 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->56 dropped 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->78 36 schtasks.exe 1 19->36         started        38 schtasks.exe 1 19->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        file9 signatures10 process11 process12 48 conhost.exe 36->48         started        50 conhost.exe 38->50         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe20%ReversingLabsByteCode-MSIL.Backdoor.Androm
        C:\Users\user\AppData\Roaming\HxuauFbNyB.exe20%ReversingLabsByteCode-MSIL.Backdoor.Androm

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        22.0.Purchase Order.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.2.Purchase Order.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        22.0.Purchase Order.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        22.0.Purchase Order.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.Purchase Order.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        22.2.Purchase Order.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        22.0.Purchase Order.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.Purchase Order.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.Purchase Order.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        22.0.Purchase Order.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.Purchase Order.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.0.Purchase Order.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.chinhdo.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        john23432.ddns.net
        		185.140.53.160
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.comPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bThePurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.tiro.comPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://google.comPurchase Order.exe, 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comlPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cThePurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-user.htmlPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleasePurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8Purchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fonts.comPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleasePurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.chinhdo.comdhcpmon.exe, 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase Order.exe, 00000000.00000002.686415706.0000000002631000.00000004.00000001.sdmp, Purchase Order.exe, 0000000E.00000002.722519255.0000000002921000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sakkal.comPurchase Order.exe, 00000000.00000002.687946124.00000000067F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.140.53.160
                                  		john23432.ddns.netSweden
                                  		209623DAVID_CRAIGGGfalse

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:527594
                                  Start date:24.11.2021
                                  Start time:01:47:08
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 14m 16s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:Purchase Order.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:38
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@33/23@16/2
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                  • Quality average: 83.8%
                                  • Quality standard deviation: 1.2%
                                  HCA Information:
                                  • Successful, ratio: 94%
                                  • Number of executed functions: 120
                                  • Number of non-executed functions: 10
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  01:48:04API Interceptor876x Sleep call for process: Purchase Order.exe modified
                                  01:48:08API Interceptor121x Sleep call for process: powershell.exe modified
                                  01:48:17AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  01:48:18Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Purchase Order.exe" s>$(Arg0)
                                  01:48:20Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                  01:48:24API Interceptor3x Sleep call for process: dhcpmon.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASN

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):441856
                                  Entropy (8bit):7.870842594798707
                                  Encrypted:false
                                  SSDEEP:6144:zLkLojuk0QX5ni5pF/+fucpLL2Iu6va9Lzpqwayp503UAd0xqOMpBFxQS/f7mkdY:zALo5pGpZ+HLL2P68LoaDw0xdMYK6vv
                                  MD5:C7AC272D4CFD98C9D86BFF3B6C3E89D8
                                  SHA1:A6334818159CC0BAD0A8BA8CC8204685BF5BA7E5
                                  SHA-256:443C27B78B0FA24AE1131834D0307FA6DA57F1463695FC6480D0D3874D5DCF64
                                  SHA-512:2EAF931CE595C551757D9FA8F8C4CB30A2A6513AE4BE06E5C9999FAF1C1D8417BF0BCB522990638F95B5666654A78672DF0DC4EF0D1951738F5188267389C4EF
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 20%
                                  Reputation:unknown
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..a..............0................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........`...D......n...@...X............................................0..7........r...p(.....s..........+..........X....i2..o......+...*..0...........r...p..(......9.......(.....s.....s................8..............-...o.....1...o.....]...+......,....o...........,...o.......+......,%...o...........,.....o....o............,...o.......+......,......o..........X.......i?W.....o .....8......(!............,.....o....,.....o.....]...+......,....o"...&........+3..........o......
                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: [ZoneTransfer]....ZoneId=0
                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order.exe.log
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):22276
                                  Entropy (8bit):5.602299935017771
                                  Encrypted:false
                                  SSDEEP:384:BtCDDq0AALh4FG0zOqMSBKnAjultI+7paeQ99gt/cxeT1MaXZlbAV7WVIUQeZBDM:a4FGx4KAClthtat8t9C+fwCZVM
                                  MD5:F3AFDE9F3255078A87DF08B181BCC07B
                                  SHA1:B6E580C1B2BDE3C6AE08B4B534E804E96661F333
                                  SHA-256:1E0273C349E6347A208401FB265C89F6BCFFA79BC9ECA55C99EAC682A6F9EE7F
                                  SHA-512:DECD868CD8A7443050E745A5438DB794DCF7DD2693B0B93595E8A470F5C2C2975448FCF13501D751B169BAD6CBBD2D13B2E700ED06F29823958FA9BAFC271850
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: @...e...........y...........y.o.o...P.....u..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ag4apfai.vhh.psm1
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 1
                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eg0ibh2b.kqt.psm1
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):0
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 1
                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmus0usj.be1.ps1
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 1
                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdvinvb5.qqw.ps1
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):0
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 1
                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1wqq1el.sjv.psm1
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 1
                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlq4x5d5.t3t.ps1
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 1
                                  C:\Users\user\AppData\Local\Temp\tmp4FFB.tmp
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:XML 1.0 document, ASCII text
                                  Category:dropped
                                  Size (bytes):1597
                                  Entropy (8bit):5.1421671465980845
                                  Encrypted:false
                                  SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtazxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTEv
                                  MD5:46DC76C9149F076A473473464AE3C03B
                                  SHA1:8F929735174899ACDAD9C63121BC06DB79B672B9
                                  SHA-256:FD81D1D0AF29FC83FE98DB50BAAF9E4B9E1247ABEFF22079AF23B160971780A1
                                  SHA-512:38E569D2BBBF6549899F300432D0FAC95E12DF4CDFDBA4C86B494E2620B228BDD622ED9FBAE6D1EF8EB0B030A61D60C9CFE1A79A0014079A8C6850B783D5FDD6
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                  C:\Users\user\AppData\Local\Temp\tmp65C6.tmp
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1304
                                  Entropy (8bit):5.092592834119789
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0YKDxtn:cbk4oL600QydbQxIYODOLedq34j
                                  MD5:5819E320692EF4D03DD50A326FF0B6C3
                                  SHA1:5D43319A1772A63C5BE9612179067BAB1F5C5248
                                  SHA-256:EE49351DA4C9BDD99685C72B19F8AE36B3391430D6A813A9967C13902A8ED959
                                  SHA-512:0FCD5D29F893DCC0A3E1854C0BC42868A740D0C9D99DCB360F4BF87970DBD1673EF7F4024862E762B631A90DAA2170A5ADF3B5B62AE33646E97168555D4FE3B1
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                  C:\Users\user\AppData\Local\Temp\tmp6E05.tmp
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1310
                                  Entropy (8bit):5.109425792877704
                                  Encrypted:false
                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                  C:\Users\user\AppData\Local\Temp\tmpAF9F.tmp
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:XML 1.0 document, ASCII text
                                  Category:dropped
                                  Size (bytes):1597
                                  Entropy (8bit):5.1421671465980845
                                  Encrypted:false
                                  SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtazxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTEv
                                  MD5:46DC76C9149F076A473473464AE3C03B
                                  SHA1:8F929735174899ACDAD9C63121BC06DB79B672B9
                                  SHA-256:FD81D1D0AF29FC83FE98DB50BAAF9E4B9E1247ABEFF22079AF23B160971780A1
                                  SHA-512:38E569D2BBBF6549899F300432D0FAC95E12DF4CDFDBA4C86B494E2620B228BDD622ED9FBAE6D1EF8EB0B030A61D60C9CFE1A79A0014079A8C6850B783D5FDD6
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                  C:\Users\user\AppData\Local\Temp\tmpB24F.tmp
                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  File Type:XML 1.0 document, ASCII text
                                  Category:dropped
                                  Size (bytes):1597
                                  Entropy (8bit):5.1421671465980845
                                  Encrypted:false
                                  SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtazxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTEv
                                  MD5:46DC76C9149F076A473473464AE3C03B
                                  SHA1:8F929735174899ACDAD9C63121BC06DB79B672B9
                                  SHA-256:FD81D1D0AF29FC83FE98DB50BAAF9E4B9E1247ABEFF22079AF23B160971780A1
                                  SHA-512:38E569D2BBBF6549899F300432D0FAC95E12DF4CDFDBA4C86B494E2620B228BDD622ED9FBAE6D1EF8EB0B030A61D60C9CFE1A79A0014079A8C6850B783D5FDD6
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):232
                                  Entropy (8bit):7.024371743172393
                                  Encrypted:false
                                  SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                  MD5:32D0AAE13696FF7F8AF33B2D22451028
                                  SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                  SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                  SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):8
                                  Entropy (8bit):3.0
                                  Encrypted:false
                                  SSDEEP:3:wyy:wyy
                                  MD5:15C5AF8ECD5BE1F5A50A1EDDE5FEC64D
                                  SHA1:8DF9D8352484F38F356D0C15FBE3D746BD671DD2
                                  SHA-256:9D2D45927E7408FEFC468A8D1994C9DF9141E1474CCD20061255E6C0E446FC61
                                  SHA-512:07A873C5BCD258F844FCDDC047B038D989BA8200232A36B12C611BF64EE5ED56C8AAC971B9DA4BFA88DF243647E749493EDF5F1D82C497FA01D5EC24E98BA052
                                  Malicious:true
                                  Reputation:unknown
                                  Preview: ..,...H
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):40
                                  Entropy (8bit):5.153055907333276
                                  Encrypted:false
                                  SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                  MD5:4E5E92E2369688041CC82EF9650EDED2
                                  SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                  SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                  SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):327432
                                  Entropy (8bit):7.99938831605763
                                  Encrypted:true
                                  SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                  MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                  SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                  SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                  SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):41
                                  Entropy (8bit):4.156061152695156
                                  Encrypted:false
                                  SSDEEP:3:oNt+WfW1QK4q6:oNwvaND
                                  MD5:A5B5387115236B6A3DE7EA168E729F33
                                  SHA1:424D27EBFDE15D896B9C9FF521FAF694BD182C1E
                                  SHA-256:218F6E3E727B206A0513EEBD2D82058AC3DFFA441E9EA96DA3A6291232C75C26
                                  SHA-512:FBB788C650B3F4693F0DF27844D2B6C826F6E3BEE551B2873B26C0A94E8F2AF8861CCE86759B4B5BEC18AEC1C64A902DE34AF48F9AA1C404D776D3EDD1ED5B24
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: C:\Users\user\Desktop\Purchase Order.exe
                                  C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):441856
                                  Entropy (8bit):7.870842594798707
                                  Encrypted:false
                                  SSDEEP:6144:zLkLojuk0QX5ni5pF/+fucpLL2Iu6va9Lzpqwayp503UAd0xqOMpBFxQS/f7mkdY:zALo5pGpZ+HLL2P68LoaDw0xdMYK6vv
                                  MD5:C7AC272D4CFD98C9D86BFF3B6C3E89D8
                                  SHA1:A6334818159CC0BAD0A8BA8CC8204685BF5BA7E5
                                  SHA-256:443C27B78B0FA24AE1131834D0307FA6DA57F1463695FC6480D0D3874D5DCF64
                                  SHA-512:2EAF931CE595C551757D9FA8F8C4CB30A2A6513AE4BE06E5C9999FAF1C1D8417BF0BCB522990638F95B5666654A78672DF0DC4EF0D1951738F5188267389C4EF
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 20%
                                  Reputation:unknown
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..a..............0................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........`...D......n...@...X............................................0..7........r...p(.....s..........+..........X....i2..o......+...*..0...........r...p..(......9.......(.....s.....s................8..............-...o.....1...o.....]...+......,....o...........,...o.......+......,%...o...........,.....o....o............,...o.......+......,......o..........X.......i?W.....o .....8......(!............,.....o....,.....o.....]...+......,....o"...&........+3..........o......
                                  C:\Users\user\AppData\Roaming\HxuauFbNyB.exe:Zone.Identifier
                                  Process:C:\Users\user\Desktop\Purchase Order.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: [ZoneTransfer]....ZoneId=0
                                  C:\Users\user\Documents\20211124\PowerShell_transcript.114127.krYYAnYC.20211124014807.txt
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):5789
                                  Entropy (8bit):5.396216056818636
                                  Encrypted:false
                                  SSDEEP:96:BZojUNlqDo1ZoZhjUNlqDo1ZUWg+jZIjUNlqDo1ZAruuaZ1:H
                                  MD5:1BE0A7538B4771C4ECEC66F7E6ECD744
                                  SHA1:F1CADB0F4F73F6620B85AFA8DD04DDE1EB8D06B2
                                  SHA-256:524C0FE45543198E3AE9665C1727449495F618D8E4F7D1DBD91F464C7776B7E9
                                  SHA-512:EF7ADE057FAFEF322A3C653860A563E8AE9079D608F1F2213C2042F04ECBC7122A2800EA8570BB09DC29608023F39ACAEE54039A7B9AD60BBA40B6EE61309EDF
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20211124014808..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 114127 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\HxuauFbNyB.exe..Process ID: 4544..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211124014808..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\HxuauFbNyB.exe..**********************..Windows PowerShell transcript start..Start time: 20211124015121..Username: computer\user..RunAs User: computer\jone
                                  C:\Users\user\Documents\20211124\PowerShell_transcript.114127.qKjRv7Ar.20211124014823.txt
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):5789
                                  Entropy (8bit):5.397459798230612
                                  Encrypted:false
                                  SSDEEP:96:BZujUNB3qDo1ZuZdjUNB3qDo1ZHWg+jZ+jUNB3qDo1ZlruutZi:p
                                  MD5:18AD7F9C00F426BCD5C2FB4CDE8AE949
                                  SHA1:D4BF5C55458901E02119A661CC99A58A4FA3BF71
                                  SHA-256:94EEAB0F4E488C64853FE46EE49F1D4E8F7DC08A73BBA4F8C590945D6ED834B0
                                  SHA-512:A6B0BDCDCE67FBC62EDB2226DB8AC015A208537FE0F9DC1FDCA3240B836E6E30FF822E952928BE1E97F939B6648BC9C8FBDE6023929F55BDAE05BD55165F2BD7
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20211124014824..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 114127 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\HxuauFbNyB.exe..Process ID: 5684..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211124014824..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\HxuauFbNyB.exe..**********************..Windows PowerShell transcript start..Start time: 20211124015143..Username: computer\user..RunAs User: computer\jone
                                  C:\Users\user\Documents\20211124\PowerShell_transcript.114127.ryLJLjRl.20211124014835.txt
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):0
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:96:BZ7jUNHqDo1ZNZ+jUNHqDo1Z0FWg+jZLjUNHqDo1Z/ruu/Z8:a
                                  MD5:169B9794ED2D8F49F3B13E302807E66B
                                  SHA1:E92AF7E450982DB827344E87E152709DC8F1F906
                                  SHA-256:50F05A4B39001C72AA4E1FFCE149126F0DC07CDD9222BEBC6A38C3833E74D3CB
                                  SHA-512:08C0251D3DE4422E79680C6EE90FCFCA3B59D89004B6FB5C96C658F79DB6CCA997ADB016AB1531CAA1A11A92CABEE5AB4A374DE670874573D67C100E3EF92AF6
                                  Malicious:false
                                  Reputation:unknown
                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20211124014836..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 114127 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\HxuauFbNyB.exe..Process ID: 4780..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211124014836..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\HxuauFbNyB.exe..**********************..Windows PowerShell transcript start..Start time: 20211124015218..Username: computer\user..RunAs User: computer\jone

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.870842594798707
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:Purchase Order.exe
                                  File size:441856
                                  MD5:c7ac272d4cfd98c9d86bff3b6c3e89d8
                                  SHA1:a6334818159cc0bad0a8ba8cc8204685bf5ba7e5
                                  SHA256:443c27b78b0fa24ae1131834d0307fa6da57f1463695fc6480d0d3874d5dcf64
                                  SHA512:2eaf931ce595c551757d9fa8f8c4cb30a2a6513ae4be06e5c9999faf1c1d8417bf0bcb522990638f95b5666654a78672df0dc4ef0d1951738f5188267389c4ef
                                  SSDEEP:6144:zLkLojuk0QX5ni5pF/+fucpLL2Iu6va9Lzpqwayp503UAd0xqOMpBFxQS/f7mkdY:zALo5pGpZ+HLL2P68LoaDw0xdMYK6vv
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F..a..............0.................. ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:d092989898a8a488

                                  Static PE Info

                                  General

                                  Entrypoint:0x46bbea
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x619D8146 [Wed Nov 24 00:03:18 2021 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], al
                                  add dword ptr [ecx], eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [ecx], eax
                                  add dword ptr [ecx], eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [ecx], eax
                                  add byte ptr [ecx], al
                                  add dword ptr [eax], eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [ecx], eax
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], al
                                  add dword ptr [eax], eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], al
                                  add byte ptr [ecx], al
                                  add dword ptr [ecx], eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [eax], eax
                                  add byte ptr [ecx], al
                                  add dword ptr [ecx], eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  aas
                                  add byte ptr [eax], al
                                  add byte ptr [esi], cl
                                  add byte ptr [eax], al
                                  add byte ptr [edx+08h], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], al
                                  add dword ptr [eax], eax
                                  add byte ptr [ecx], al
                                  add dword ptr [eax], eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6bb980x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x1bd0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x69c700x69e00False0.918471443329data7.90563498094IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0x6c0000x1bd00x1c00False0.280970982143data3.91574364935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x6e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0x6c2200xb0GLS_BINARY_LSB_FIRST
                                  RT_ICON0x6c2d00x128GLS_BINARY_LSB_FIRST
                                  RT_ICON0x6c3f80x568GLS_BINARY_LSB_FIRST
                                  RT_ICON0x6c9600x130data
                                  RT_ICON0x6ca900x2e8data
                                  RT_ICON0x6cd780x8a8data
                                  RT_GROUP_ICON0x6d6200x5adata
                                  RT_VERSION0x6d67c0x368data
                                  RT_MANIFEST0x6d9e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright Microsoft 2011
                                  Assembly Version1.0.0.0
                                  InternalNameIEnumIDENTITYATTRIBU.exe
                                  FileVersion1.0.0.0
                                  CompanyNameMicrosoft
                                  LegalTrademarks
                                  Comments
                                  ProductNameTetris
                                  ProductVersion1.0.0.0
                                  FileDescriptionTetris
                                  OriginalFilenameIEnumIDENTITYATTRIBU.exe

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  11/24/21-01:48:21.223022UDP254DNS SPOOF query response with TTL of 1 min. and no authority53545318.8.8.8192.168.2.4
                                  11/24/21-01:48:21.466020TCP2025019ET TROJAN Possible NanoCore C2 60B497636640192.168.2.4185.140.53.160
                                  11/24/21-01:48:27.757393UDP254DNS SPOOF query response with TTL of 1 min. and no authority53497148.8.8.8192.168.2.4
                                  11/24/21-01:48:27.917802TCP2025019ET TROJAN Possible NanoCore C2 60B497646640192.168.2.4185.140.53.160
                                  11/24/21-01:48:33.826635UDP254DNS SPOOF query response with TTL of 1 min. and no authority53580288.8.8.8192.168.2.4
                                  11/24/21-01:48:33.987751TCP2025019ET TROJAN Possible NanoCore C2 60B497656640192.168.2.4185.140.53.160
                                  11/24/21-01:48:40.104132TCP2025019ET TROJAN Possible NanoCore C2 60B497686640192.168.2.4185.140.53.160
                                  11/24/21-01:48:47.223646TCP2025019ET TROJAN Possible NanoCore C2 60B497696640192.168.2.4185.140.53.160
                                  11/24/21-01:48:55.437215UDP254DNS SPOOF query response with TTL of 1 min. and no authority53499108.8.8.8192.168.2.4
                                  11/24/21-01:48:55.610091TCP2025019ET TROJAN Possible NanoCore C2 60B497706640192.168.2.4185.140.53.160
                                  11/24/21-01:49:01.587828UDP254DNS SPOOF query response with TTL of 1 min. and no authority53558548.8.8.8192.168.2.4
                                  11/24/21-01:49:01.759606TCP2025019ET TROJAN Possible NanoCore C2 60B497716640192.168.2.4185.140.53.160
                                  11/24/21-01:49:09.908785TCP2025019ET TROJAN Possible NanoCore C2 60B497856640192.168.2.4185.140.53.160
                                  11/24/21-01:49:16.338053TCP2025019ET TROJAN Possible NanoCore C2 60B498076640192.168.2.4185.140.53.160
                                  11/24/21-01:49:22.454612TCP2025019ET TROJAN Possible NanoCore C2 60B498136640192.168.2.4185.140.53.160
                                  11/24/21-01:49:29.843392TCP2025019ET TROJAN Possible NanoCore C2 60B498156640192.168.2.4185.140.53.160
                                  11/24/21-01:49:36.198569UDP254DNS SPOOF query response with TTL of 1 min. and no authority53512558.8.8.8192.168.2.4
                                  11/24/21-01:49:36.362823TCP2025019ET TROJAN Possible NanoCore C2 60B498226640192.168.2.4185.140.53.160
                                  11/24/21-01:49:43.220874UDP254DNS SPOOF query response with TTL of 1 min. and no authority53615228.8.8.8192.168.2.4
                                  11/24/21-01:49:43.674432TCP2025019ET TROJAN Possible NanoCore C2 60B498396640192.168.2.4185.140.53.160
                                  11/24/21-01:49:51.504844TCP2025019ET TROJAN Possible NanoCore C2 60B498416640192.168.2.4185.140.53.160
                                  11/24/21-01:49:58.390026TCP2025019ET TROJAN Possible NanoCore C2 60B498426640192.168.2.4185.140.53.160
                                  11/24/21-01:50:05.396906TCP2025019ET TROJAN Possible NanoCore C2 60B498436640192.168.2.4185.140.53.160

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 24, 2021 01:48:21.233745098 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:21.419440031 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:21.419569969 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:21.466020107 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:21.666404009 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:21.666621923 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:21.870182037 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:21.870347977 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.037084103 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.085643053 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.256596088 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.466921091 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.540894985 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.682164907 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.682193041 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.682287931 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.682341099 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.683389902 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.683458090 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.683478117 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.683495998 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.683815956 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.684454918 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.684473991 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.684571028 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.684581041 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.685425043 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.685442924 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.685524940 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.685537100 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.686543941 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.688134909 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.741142988 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.857342958 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.857398033 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.857928038 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.858458996 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.858499050 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.858539104 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.858617067 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.867144108 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.867185116 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.867222071 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.867248058 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.867285013 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.867436886 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.867590904 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.867630959 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.867671967 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.867685080 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.867707968 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.867778063 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.867820024 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.867917061 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.867985964 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.876501083 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.876538992 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.876662970 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.876981974 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.877147913 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.877185106 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:22.877255917 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:22.877276897 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.057353973 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.057415962 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.057485104 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.058712959 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.060843945 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.061415911 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.072366953 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.072411060 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.072452068 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.072489023 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.072586060 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.072635889 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.072724104 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.072889090 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.073044062 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.075325012 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.075572014 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.075609922 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.075686932 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.084562063 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.084613085 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.084656954 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.084661961 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.084702969 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.084738970 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.084748030 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.084815025 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.084886074 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.084934950 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.084973097 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.085010052 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.085022926 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.085050106 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.085073948 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.085169077 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.085309029 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.085380077 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.085421085 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.085509062 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.085535049 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.086333990 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.086421967 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.086560965 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.087110996 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.087148905 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.087198973 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.088586092 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.088624954 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.088660955 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.089447021 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.089484930 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.089535952 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.090442896 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.090483904 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.090528011 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.132708073 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.302329063 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.302407980 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.302465916 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.302597046 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.312192917 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.312221050 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.312334061 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.313422918 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.313441992 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.313633919 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.331252098 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331275940 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331295967 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331315994 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331331968 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.331350088 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.331403971 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331424952 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331471920 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.331521988 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331542015 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331697941 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331718922 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331747055 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.331754923 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.331933022 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.331954956 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.332686901 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.333708048 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.333729982 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.333903074 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.334515095 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.334542036 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.334588051 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.335674047 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.335701942 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.335728884 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.335764885 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.335845947 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.336153984 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.336183071 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.336237907 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.337452888 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.337481976 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.338200092 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.338340044 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.338457108 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.340085030 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.347570896 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.347609997 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.347634077 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.347661018 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.347754955 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.347767115 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.347769022 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.347867012 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.347903967 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.347940922 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.348001003 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.348129034 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.348162889 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.348213911 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.348218918 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.348234892 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.352466106 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.352504969 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.352538109 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.398566961 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.463664055 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.463726997 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.464699984 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.464791059 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.475554943 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.475608110 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.475692034 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.499710083 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.499773026 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.499811888 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.499850035 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.499869108 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.499891043 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.500479937 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.500524998 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.500602007 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.501239061 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.501281023 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.502079964 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.502130985 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.502172947 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.502233982 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.513541937 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.513585091 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.513623953 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.513643980 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.513694048 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.514415979 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.514455080 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.514518023 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.523588896 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.523632050 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.523663044 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.523690939 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.523734093 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.523824930 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.525558949 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.531207085 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.531245947 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.531330109 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.532067060 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.532107115 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.532145023 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.533436060 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.534315109 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.534421921 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.534461021 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.534477949 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.543497086 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.543550968 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.543590069 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.543627977 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.543664932 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.543700933 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.543731928 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.543756008 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.543797016 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.543831110 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.543836117 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.544061899 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.544704914 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.547013044 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.547105074 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.547146082 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.547179937 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.547183990 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.547216892 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.547251940 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.547431946 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.547489882 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.547527075 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.547538042 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.547580004 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.562263012 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.565015078 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.610436916 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.626189947 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.626246929 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.626797915 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.641200066 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.641256094 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.641284943 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.641344070 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.663237095 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.663290024 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.663357019 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.663397074 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.664457083 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.664498091 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.664560080 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.664587021 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.665467024 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.665538073 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.666496992 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.666651964 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.673168898 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.673216105 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.673283100 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.673307896 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.674432993 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.674472094 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.674541950 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.674557924 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.683516979 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.683587074 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.683631897 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.683656931 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.684511900 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.684551001 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.684587955 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.684603930 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.693259954 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.693316936 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.693356037 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.693394899 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.693432093 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.693470955 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.693470955 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.693485022 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.693487883 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.693656921 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.701052904 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.701098919 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.701489925 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.701906919 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.701945066 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.702012062 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.702020884 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.702176094 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.702339888 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.703025103 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.703083992 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.703087091 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.703500032 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.712275028 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.712315083 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.712352991 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.712388039 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.712390900 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.712430000 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.712515116 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.714596033 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.714638948 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.714751005 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.714900970 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.714943886 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.714956999 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.715116024 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.715152025 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.715152979 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.715441942 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.715455055 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.715485096 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.715563059 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.715960979 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.716048002 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.716088057 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.716178894 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.717160940 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.717200994 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.718183994 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.719290972 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.719331980 CET664049763185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:23.719504118 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:23.719546080 CET497636640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:27.763818026 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:27.917136908 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:27.917308092 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:27.917802095 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:28.114300966 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:28.125785112 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:28.396569967 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:28.445650101 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:28.663265944 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:28.888015032 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:28.888155937 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.098227978 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.098263025 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.098391056 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.107036114 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.107076883 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.107192039 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.107214928 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.107249975 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.107326031 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.107372046 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.107383013 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.107415915 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.107531071 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.107558966 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.107675076 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.279465914 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.279530048 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.279568911 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.279608011 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.279647112 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.279661894 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.279684067 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.279702902 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.279722929 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.279737949 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.279819965 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.279860973 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.279900074 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.279927015 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.279959917 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.279994011 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.280035019 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.280168056 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.280232906 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.280458927 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.280510902 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.280550957 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.281517029 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.281555891 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.281619072 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.282413006 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.282485962 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.282533884 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.283350945 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.283987045 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.463701963 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.463766098 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.463907003 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.463988066 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.465416908 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.465460062 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.465581894 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.469101906 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.469141006 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.469204903 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.469278097 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.469324112 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.470493078 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.471038103 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.471079111 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.471116066 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.471173048 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.471230030 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.472421885 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.473098993 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.475033998 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.475475073 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.475512981 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.476015091 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.476083994 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.477474928 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.477551937 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.485579967 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.485632896 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.485670090 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.485743046 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.485865116 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.485925913 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.510600090 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.510660887 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.510703087 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.510803938 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.519722939 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.519788980 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.519830942 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.520401001 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.520442009 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.520482063 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.520500898 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.520529032 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.521325111 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.521456003 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.521559954 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.522469997 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.522536039 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.522577047 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.522593975 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.522639990 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.522679090 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.522732973 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.522828102 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.522866964 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.522881031 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.523106098 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.523144960 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.523199081 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.636270046 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636322975 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636365891 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636401892 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636440992 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636481047 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636482954 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.636543036 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.636668921 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636729956 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.636775017 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636811972 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636821032 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.636869907 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636929989 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.636970043 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.637350082 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.637387037 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.637402058 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.637458086 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.638359070 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.638401031 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.638506889 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.638514996 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.638922930 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.639029026 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.639178038 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.640398979 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.640562057 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.640642881 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.640683889 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.641247988 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.641417980 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.641455889 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.642318010 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.642357111 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.642399073 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.642494917 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.643471956 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.643512011 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.643591881 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.644022942 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.644170046 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.644226074 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.644263029 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.647469044 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.647506952 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.647624969 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.672502041 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.672554016 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.674401999 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.680449009 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.680505991 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.681142092 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.681680918 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.681705952 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.681873083 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.685028076 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.685751915 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.693404913 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.693428993 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.693984032 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.694026947 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.694039106 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.694891930 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.703461885 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.703494072 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.703520060 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.703620911 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.703627110 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.703649044 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.703713894 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.705027103 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.705132008 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.711317062 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.711358070 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.711448908 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.749094009 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.818769932 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.818979979 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.819555044 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.819647074 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.819658041 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.820009947 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.820174932 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.820255995 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.820321083 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.820780039 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.822192907 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.822324038 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.822364092 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.822411060 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.823259115 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.823528051 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.823568106 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.823609114 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.823924065 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.824593067 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.824634075 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.824749947 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.824778080 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.825372934 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.825411081 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.825449944 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.825455904 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.825488091 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.825489044 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.825526953 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.825965881 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.826005936 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.826010942 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.826042891 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.826347113 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.829929113 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.829968929 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.830013037 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.830033064 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.830471039 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.830511093 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.830545902 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.830549955 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.830590010 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.830596924 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.830631018 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.830960989 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.831315994 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.831520081 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.831552982 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.831594944 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.831692934 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.832433939 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.832473040 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.833431959 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.840557098 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.840595007 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.840634108 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.840672970 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.840709925 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.840725899 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.840755939 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.840760946 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.841280937 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.845124960 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.845283031 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.857121944 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.857163906 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.857738972 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.857758045 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.857796907 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.857837915 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.857892036 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.867252111 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.867296934 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.867490053 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.875807047 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.875860929 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.875952959 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.875998020 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.876934052 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.876975060 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.877015114 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.877079010 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.877109051 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.877188921 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.877274990 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.878571987 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.878609896 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.878653049 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.878846884 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:29.879040003 CET664049764185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:29.879236937 CET497646640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:33.828341961 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:33.986955881 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:33.987077951 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:33.987751007 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:34.189021111 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:34.189273119 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:34.359898090 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:34.520773888 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:34.729451895 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:34.760407925 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:34.760550976 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:34.940020084 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:34.940124035 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.142311096 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.194549084 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.203437090 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.203483105 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.203679085 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.205538988 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.205581903 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.205619097 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.205629110 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.205661058 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.205698013 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.205709934 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.205775976 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.212332010 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.212369919 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.212490082 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.367455959 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.368297100 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.368338108 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.368382931 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.369294882 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.369393110 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.378463030 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.378516912 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.378556967 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.378596067 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.378611088 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.378633976 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.378700018 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.384481907 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.384536982 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.384557962 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.384581089 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.384620905 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.384659052 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.384696007 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.384732962 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.384787083 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.385252953 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.390196085 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.390430927 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.390470028 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.390603065 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.390626907 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.390728951 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.541520119 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.541574955 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.541671991 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.550863981 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.550898075 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.550937891 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.551028967 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.551069021 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.551208973 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.551232100 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.551275969 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.551297903 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.551311016 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.551471949 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.551496029 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.552922964 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.553229094 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.553266048 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.553287029 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.553308964 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.553318024 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.553332090 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.553353071 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.553361893 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.553375959 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.553380966 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.553397894 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.553417921 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.553436041 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.553443909 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.553466082 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.560862064 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.560880899 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.560895920 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.560983896 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.561000109 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.561014891 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.561146975 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.561165094 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.561392069 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.561425924 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.563452005 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.563791990 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.563810110 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.563826084 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.563842058 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.563858986 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.563910961 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.563926935 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.563944101 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.563955069 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.566950083 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.567075014 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.567096949 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.567114115 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.567131042 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.567209005 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.567240000 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.567411900 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.567445040 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.702476025 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.702522993 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.702675104 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.710299969 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.710366964 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.710414886 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.710906029 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.710982084 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.711035967 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.711883068 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.711952925 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.712019920 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.714293003 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.714374065 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.714437962 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.715234995 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.715379000 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.715419054 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.715447903 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.715466976 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.724391937 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.724431038 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.724493980 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.724534988 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.724608898 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.724693060 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.726063967 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.732920885 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.732963085 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.733033895 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.734417915 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.737802982 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.743136883 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.743176937 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.743216038 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.743251085 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.743321896 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.743381023 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.743448973 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.743519068 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.743577957 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.743638039 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.751147985 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.751190901 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.751214981 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.751300097 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.751329899 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.751991034 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.752065897 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.752276897 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.752338886 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.752960920 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.753000021 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.753062963 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.754401922 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.754508018 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.754579067 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.763008118 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763047934 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763087034 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763143063 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.763161898 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.763185024 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763303041 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763400078 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763447046 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.763494968 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763662100 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763699055 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.763705015 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763746977 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763780117 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.763819933 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.763885021 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.763886929 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.841675997 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.903098106 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.903208017 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.911398888 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.911678076 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.920424938 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.920469046 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.920506954 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.920536041 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.920547962 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.920572042 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.920591116 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.920622110 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.920664072 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.920741081 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.920783043 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.920845032 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.920891047 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.920945883 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.921082020 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.921143055 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.921144962 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.921202898 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.921278954 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.921336889 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.921381950 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.921411037 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.929058075 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.929100037 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.929166079 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.930341005 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.930382013 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.930416107 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.930438042 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.930974007 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.931058884 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.940439939 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.940491915 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.940560102 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.941010952 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.941071033 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.941092968 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.941123009 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.941149950 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.941184998 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.942423105 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.942465067 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.942545891 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.943028927 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.943110943 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.944252968 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.944377899 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.944385052 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.944428921 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.944451094 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.944479942 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.953021049 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.953071117 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.953084946 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.953110933 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.953129053 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.953161955 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.953161955 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.953203917 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.953212976 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.953249931 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.958144903 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.958200932 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.958239079 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.958287954 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.958339930 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.959534883 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.959638119 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.959661007 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.959712982 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.960396051 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.960433006 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.960473061 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.960488081 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.960514069 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.960517883 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.960558891 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.960705996 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.960745096 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.960762024 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.960786104 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.960788012 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.960825920 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.960827112 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.960870028 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.960894108 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.960939884 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:35.961184978 CET664049765185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:35.961237907 CET497656640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:39.936757088 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:40.103362083 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:40.103513002 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:40.104131937 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:40.313364029 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:40.321032047 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:40.321373940 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:40.490206957 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:40.571537018 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:40.732424021 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:40.956341028 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:40.956434011 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.193662882 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.193722963 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.193878889 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.202486038 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.202529907 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.202564001 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.202600956 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.202652931 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.202688932 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.202706099 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.202824116 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.202860117 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.202872038 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.202894926 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.202941895 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.357352972 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.357402086 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.357491970 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.358335972 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.358453989 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.358597040 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.364403963 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.364451885 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.364536047 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.365396976 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.365431070 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.365480900 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.367353916 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.367449999 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.367572069 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.368289948 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.368331909 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.368406057 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.368890047 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.377449989 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.377872944 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.378344059 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.378375053 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.378436089 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.379309893 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.379374027 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.379434109 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.380388021 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.380449057 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.380507946 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.521584034 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.530576944 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.530631065 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.530704975 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.531032085 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.531070948 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.531095028 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.531270027 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.531405926 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.531444073 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.531471014 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.531500101 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.531629086 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.540389061 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.540430069 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.540447950 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.540469885 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.540529013 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.540676117 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.540788889 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.540841103 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.540899992 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.543411970 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.543450117 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.543487072 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.546057940 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.546097040 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.546154022 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.547446012 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.547482967 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.547502041 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.547522068 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.547578096 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.547589064 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.550389051 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.550426006 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.550474882 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.560003042 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.560086012 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.562372923 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.563241959 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.563345909 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.564034939 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.564096928 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.565016031 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.565279961 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.566041946 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.566081047 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.566097975 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.567403078 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.567442894 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.567512989 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.568319082 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.568360090 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.568392992 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.577430010 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.578227997 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.578320026 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.578402996 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.578425884 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.578475952 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.691123009 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.692390919 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.692410946 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.692449093 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.692477942 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.693303108 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.693382978 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.693532944 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.699007034 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.699024916 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.699065924 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.700300932 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.700345993 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.700407982 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.701117039 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.701144934 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.701282978 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.702354908 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.702425957 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.702441931 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.702498913 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.707042933 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.707112074 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.709168911 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.709201097 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.709240913 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.718332052 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.718391895 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.718431950 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.718453884 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.719084978 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.719104052 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.719136953 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.735449076 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.735466957 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.735522985 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.735574007 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.735620975 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.735635042 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.735718966 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.735747099 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.735795021 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.735871077 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.735917091 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.735918045 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.735990047 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.737862110 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.741337061 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.741481066 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.741534948 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.741640091 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.741719007 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.741838932 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.741884947 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.741961002 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.742007971 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.742041111 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.745628119 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.745680094 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.745682955 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.745760918 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.745860100 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.745923042 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.747252941 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.747312069 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.747322083 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.748249054 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.748322010 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.748372078 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.750305891 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.750324965 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.750391960 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.750463963 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.750482082 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.750507116 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.750588894 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.750683069 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.858357906 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.858377934 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.858444929 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.858869076 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.858947992 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.859502077 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.860296965 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.860374928 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.860435963 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.860467911 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.865333080 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.865360022 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.865384102 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.865400076 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.865452051 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.866099119 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.866161108 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.867346048 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.867422104 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.877377987 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.877413988 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.882283926 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.885277033 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.885890007 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.886018991 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.886090994 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.886101961 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.887237072 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.887314081 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.887372017 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.887496948 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.888258934 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.888453960 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.888880014 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.906440020 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.906457901 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.906506062 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.907263041 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.907305002 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.907361984 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.908303976 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.908323050 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.908371925 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.908382893 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.908772945 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.908937931 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.908982992 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.909095049 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.909131050 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.909145117 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.909185886 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.918437958 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.918457031 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.918497086 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.918557882 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.918575048 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.918576002 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.918627024 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.918663979 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.918745995 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.918783903 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.918836117 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.918858051 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.918936968 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.918968916 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.918994904 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.919018984 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.919096947 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.919131041 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.919158936 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.919178009 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.919234991 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.923320055 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.923337936 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.923398972 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.923408985 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.923417091 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.924304008 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.926064968 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.926083088 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.926156044 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.926177979 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.935404062 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.935461044 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.935518026 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.935539007 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.936105013 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.936182022 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:41.936289072 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:41.936302900 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.028557062 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.028584003 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.028716087 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.029061079 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.029078960 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.029134035 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.029195070 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.029231071 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.029294014 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.030535936 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.030687094 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.031002045 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.031065941 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.031088114 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.031151056 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.031169891 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.031176090 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.032290936 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.032311916 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.032388926 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.032407045 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.037358046 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.037414074 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.037436962 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.037481070 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.038295984 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.038384914 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.038395882 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.038458109 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.051573038 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.051625013 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.051687002 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.052310944 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.054374933 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.068501949 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.068558931 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.068597078 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.068860054 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.071461916 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.071501970 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.071557045 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.072244883 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.072411060 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.072504997 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.072546005 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.072669983 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.072999001 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.081350088 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.081410885 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.081454992 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.082371950 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.082412958 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.082452059 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.082504034 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.082520008 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.083329916 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.099356890 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.099395990 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.099550009 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.099579096 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.099620104 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.099658966 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.099719048 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.099731922 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.099798918 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.099858999 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.099899054 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.099950075 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.100049973 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.100135088 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.100222111 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.101398945 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.101440907 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.101480961 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.102345943 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.102665901 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.103379011 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.103420019 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.104302883 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.112601042 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.112642050 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.112773895 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.193597078 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.193660021 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.193856001 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.194010019 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.194173098 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.195373058 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.195378065 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.195988894 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.196158886 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.198381901 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.200397015 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.200479031 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.201395035 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.202395916 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.202435970 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.202517033 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.211496115 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.211538076 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.211576939 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.211612940 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.211622000 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.211632967 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.211652994 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.211694002 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.211824894 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.211888075 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.211926937 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.211996078 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.212027073 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.212044001 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.212090015 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.212346077 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.212385893 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.212425947 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.213300943 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.213454008 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.213490009 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.213970900 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.214112997 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.214132071 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.215351105 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.215441942 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.216316938 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.224118948 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.224159002 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.224219084 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.224255085 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.224273920 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.224293947 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.224437952 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.224478006 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.224606991 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.224662066 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.224668980 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.224685907 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.224797964 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.224920034 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.225358009 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.225397110 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.225481987 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.241426945 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.248605013 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.248658895 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.248723984 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.249366045 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.249408007 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.249428988 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.250448942 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.250489950 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.250541925 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.251332998 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.251375914 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.251389027 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.252367973 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.252407074 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.252772093 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.253385067 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.253422976 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.253477097 CET664049768185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:42.253514051 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.253525019 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:42.905731916 CET497686640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:47.026410103 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:47.197335958 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:47.197515965 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:47.223645926 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:47.429011106 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:47.445322990 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:47.445823908 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:47.610126019 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:47.650284052 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:47.855186939 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:48.060481071 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:48.060561895 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:48.261300087 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:48.329272985 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:48.384700060 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:48.458081961 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:48.542176008 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:48.587873936 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:48.656796932 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:48.656868935 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:48.813410044 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:48.853619099 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:49.017074108 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:49.035459995 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:49.245157957 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:49.416290045 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:49.618347883 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:49.618516922 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:49.849270105 CET664049769185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:50.613568068 CET497696640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:55.440514088 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:55.597476959 CET664049770185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:55.608895063 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:55.610090971 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:55.820590019 CET664049770185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:55.825061083 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:56.001575947 CET664049770185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:56.057246923 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:56.236839056 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:56.446965933 CET664049770185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:56.487123013 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:56.698493004 CET664049770185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:56.708364964 CET664049770185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:56.712040901 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:56.889123917 CET664049770185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:56.914794922 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:57.074551105 CET664049770185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:57.074686050 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:57.237109900 CET664049770185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:48:57.291800022 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:48:57.496571064 CET497706640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:01.589660883 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:01.758717060 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:01.758874893 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:01.759605885 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:01.955409050 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:01.986262083 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:01.999424934 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:02.162177086 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:02.214054108 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:02.333848000 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:02.541449070 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:02.541877031 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:02.779583931 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:02.787363052 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:02.796602964 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:02.953399897 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:02.954684973 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:03.108448029 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:03.108633995 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:03.271531105 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:03.323489904 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:03.527678013 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:03.727891922 CET664049771185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:04.496155977 CET497716640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:08.977437973 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:09.148317099 CET664049785185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:09.148478985 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:09.908785105 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:10.108935118 CET664049785185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:10.109051943 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:10.323499918 CET664049785185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:10.323582888 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:10.512654066 CET664049785185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:10.636640072 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:10.888647079 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:11.097975016 CET664049785185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:11.098125935 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:11.310277939 CET664049785185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:11.312170029 CET664049785185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:11.317183018 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:11.483081102 CET664049785185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:11.485445976 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:11.667500973 CET664049785185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:11.667629004 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:11.824129105 CET664049785185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:11.933584929 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:12.076097012 CET497856640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:16.180636883 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:16.337116957 CET664049807185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:16.337217093 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:16.338052988 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:16.539361000 CET664049807185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:16.549746990 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:16.729106903 CET664049807185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:16.777687073 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:17.181478977 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:17.383090019 CET664049807185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:17.383317947 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:17.579988003 CET664049807185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:17.595052004 CET664049807185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:17.637353897 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:17.666934967 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:17.794212103 CET664049807185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:17.840482950 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:17.998084068 CET664049807185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:18.001573086 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:18.186059952 CET664049807185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:18.186151028 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:18.219105005 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:18.358350992 CET664049807185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:18.358422995 CET498076640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:22.291673899 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:22.449115038 CET664049813185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:22.449242115 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:22.454612017 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:22.661223888 CET664049813185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:22.661592007 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:22.825623035 CET664049813185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:22.872028112 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:23.248104095 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:23.453336954 CET664049813185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:23.511130095 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:23.712052107 CET664049813185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:23.954399109 CET664049813185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:23.958362103 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:24.117978096 CET664049813185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:24.150362968 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:24.308244944 CET664049813185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:24.308377028 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:24.474565029 CET664049813185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:24.528424978 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:24.891515017 CET664049813185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:24.950294971 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:25.284239054 CET498136640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:29.538889885 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:29.842005968 CET664049815185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:29.842242002 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:29.843391895 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:30.041929007 CET664049815185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:30.042254925 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:30.282999992 CET664049815185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:30.283138037 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:30.520109892 CET664049815185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:30.520216942 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:31.071263075 CET664049815185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:31.136056900 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:31.230714083 CET664049815185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:31.278964043 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:31.290334940 CET664049815185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:31.290482998 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:31.578275919 CET664049815185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:31.578793049 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:31.809895992 CET664049815185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:31.857115984 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:32.036792994 CET664049815185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:32.091486931 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:32.107753992 CET498156640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:36.200295925 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:36.360791922 CET664049822185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:36.361114025 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:36.362823009 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:36.551776886 CET664049822185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:36.563868046 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:36.734426022 CET664049822185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:36.779376030 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:36.957137108 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:37.167972088 CET664049822185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:37.175623894 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:37.375870943 CET664049822185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:37.387360096 CET664049822185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:37.418559074 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:37.592922926 CET664049822185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:37.638834000 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:37.647336006 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:37.815951109 CET664049822185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:37.816271067 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:37.980010986 CET664049822185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:38.029606104 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:38.140961885 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:38.349008083 CET664049822185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:39.155412912 CET498226640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:43.222057104 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:43.547871113 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:43.548099995 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:43.674432039 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:43.898570061 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:43.900269032 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:44.067888021 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:44.108149052 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:44.160303116 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:44.360934019 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:44.361046076 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:44.589251995 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:44.779863119 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:44.820991039 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:44.999877930 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:45.003748894 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:45.163846016 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:45.164056063 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:45.321528912 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:45.324007034 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:45.534883976 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:46.305505037 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:46.523058891 CET664049839185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:47.140208960 CET498396640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:51.244129896 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:51.488303900 CET664049841185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:51.488430023 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:51.504843950 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:51.711160898 CET664049841185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:51.711903095 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:51.894515991 CET664049841185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:51.936913967 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:52.156439066 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:52.430790901 CET664049841185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:52.430938005 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:52.653333902 CET664049841185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:52.909399986 CET664049841185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:52.910619974 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:53.088494062 CET664049841185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:53.117634058 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:53.301353931 CET664049841185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:53.301664114 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:53.521986008 CET664049841185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:53.577719927 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:54.164855003 CET498416640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:58.234052896 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:58.389154911 CET664049842185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:58.389554024 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:58.390026093 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:58.593451977 CET664049842185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:58.597317934 CET664049842185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:58.597646952 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:58.771207094 CET664049842185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:58.812515020 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:58.964732885 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:59.218198061 CET664049842185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:59.218564034 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:59.414469957 CET664049842185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:59.431767941 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:59.609076977 CET664049842185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:59.617372036 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:59.789063931 CET664049842185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:49:59.789405107 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:49:59.949070930 CET664049842185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:00.000111103 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:00.216739893 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:00.416099072 CET664049842185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:01.204585075 CET498426640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:05.241400957 CET498436640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:05.395781040 CET664049843185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:05.396327972 CET498436640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:05.396905899 CET498436640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:05.605457067 CET664049843185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:05.623435974 CET664049843185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:05.624218941 CET498436640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:05.790030956 CET664049843185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:05.793459892 CET498436640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:06.069268942 CET664049843185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:06.307069063 CET664049843185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:06.307799101 CET498436640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:06.466123104 CET664049843185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:06.466932058 CET498436640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:06.626496077 CET664049843185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:06.626894951 CET498436640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:06.835283041 CET664049843185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:06.875864029 CET498436640192.168.2.4185.140.53.160
                                  Nov 24, 2021 01:50:10.566329956 CET664049843185.140.53.160192.168.2.4
                                  Nov 24, 2021 01:50:10.612936974 CET498436640192.168.2.4185.140.53.160

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 24, 2021 01:48:21.116089106 CET5453153192.168.2.48.8.8.8
                                  Nov 24, 2021 01:48:21.223021984 CET53545318.8.8.8192.168.2.4
                                  Nov 24, 2021 01:48:27.737557888 CET4971453192.168.2.48.8.8.8
                                  Nov 24, 2021 01:48:27.757392883 CET53497148.8.8.8192.168.2.4
                                  Nov 24, 2021 01:48:33.804887056 CET5802853192.168.2.48.8.8.8
                                  Nov 24, 2021 01:48:33.826634884 CET53580288.8.8.8192.168.2.4
                                  Nov 24, 2021 01:48:39.916049004 CET4925753192.168.2.48.8.8.8
                                  Nov 24, 2021 01:48:39.935769081 CET53492578.8.8.8192.168.2.4
                                  Nov 24, 2021 01:48:47.006759882 CET6238953192.168.2.48.8.8.8
                                  Nov 24, 2021 01:48:47.024657965 CET53623898.8.8.8192.168.2.4
                                  Nov 24, 2021 01:48:55.415853024 CET4991053192.168.2.48.8.8.8
                                  Nov 24, 2021 01:48:55.437215090 CET53499108.8.8.8192.168.2.4
                                  Nov 24, 2021 01:49:01.566258907 CET5585453192.168.2.48.8.8.8
                                  Nov 24, 2021 01:49:01.587827921 CET53558548.8.8.8192.168.2.4
                                  Nov 24, 2021 01:49:08.956610918 CET5662153192.168.2.48.8.8.8
                                  Nov 24, 2021 01:49:08.976273060 CET53566218.8.8.8192.168.2.4
                                  Nov 24, 2021 01:49:16.159749985 CET6311653192.168.2.48.8.8.8
                                  Nov 24, 2021 01:49:16.179430008 CET53631168.8.8.8192.168.2.4
                                  Nov 24, 2021 01:49:22.270036936 CET6480153192.168.2.48.8.8.8
                                  Nov 24, 2021 01:49:22.289854050 CET53648018.8.8.8192.168.2.4
                                  Nov 24, 2021 01:49:29.518810034 CET6172153192.168.2.48.8.8.8
                                  Nov 24, 2021 01:49:29.537528038 CET53617218.8.8.8192.168.2.4
                                  Nov 24, 2021 01:49:36.176769018 CET5125553192.168.2.48.8.8.8
                                  Nov 24, 2021 01:49:36.198569059 CET53512558.8.8.8192.168.2.4
                                  Nov 24, 2021 01:49:43.199615002 CET6152253192.168.2.48.8.8.8
                                  Nov 24, 2021 01:49:43.220874071 CET53615228.8.8.8192.168.2.4
                                  Nov 24, 2021 01:49:51.222964048 CET5504653192.168.2.48.8.8.8
                                  Nov 24, 2021 01:49:51.242897987 CET53550468.8.8.8192.168.2.4
                                  Nov 24, 2021 01:49:58.212694883 CET4961253192.168.2.48.8.8.8
                                  Nov 24, 2021 01:49:58.232973099 CET53496128.8.8.8192.168.2.4
                                  Nov 24, 2021 01:50:05.221136093 CET4928553192.168.2.48.8.8.8
                                  Nov 24, 2021 01:50:05.240629911 CET53492858.8.8.8192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Nov 24, 2021 01:48:21.116089106 CET192.168.2.48.8.8.80x8292Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:48:27.737557888 CET192.168.2.48.8.8.80xf1bcStandard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:48:33.804887056 CET192.168.2.48.8.8.80x8b20Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:48:39.916049004 CET192.168.2.48.8.8.80xc74aStandard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:48:47.006759882 CET192.168.2.48.8.8.80xd4ccStandard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:48:55.415853024 CET192.168.2.48.8.8.80x5327Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:01.566258907 CET192.168.2.48.8.8.80xc747Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:08.956610918 CET192.168.2.48.8.8.80x1ef3Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:16.159749985 CET192.168.2.48.8.8.80xcc44Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:22.270036936 CET192.168.2.48.8.8.80xfe0Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:29.518810034 CET192.168.2.48.8.8.80x76f3Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:36.176769018 CET192.168.2.48.8.8.80xe73bStandard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:43.199615002 CET192.168.2.48.8.8.80x6274Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:51.222964048 CET192.168.2.48.8.8.80x2680Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:58.212694883 CET192.168.2.48.8.8.80x91bdStandard query (0)john23432.ddns.netA (IP address)IN (0x0001)
                                  Nov 24, 2021 01:50:05.221136093 CET192.168.2.48.8.8.80x383Standard query (0)john23432.ddns.netA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Nov 24, 2021 01:48:21.223021984 CET8.8.8.8192.168.2.40x8292No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:48:27.757392883 CET8.8.8.8192.168.2.40xf1bcNo error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:48:33.826634884 CET8.8.8.8192.168.2.40x8b20No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:48:39.935769081 CET8.8.8.8192.168.2.40xc74aNo error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:48:47.024657965 CET8.8.8.8192.168.2.40xd4ccNo error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:48:55.437215090 CET8.8.8.8192.168.2.40x5327No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:01.587827921 CET8.8.8.8192.168.2.40xc747No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:08.976273060 CET8.8.8.8192.168.2.40x1ef3No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:16.179430008 CET8.8.8.8192.168.2.40xcc44No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:22.289854050 CET8.8.8.8192.168.2.40xfe0No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:29.537528038 CET8.8.8.8192.168.2.40x76f3No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:36.198569059 CET8.8.8.8192.168.2.40xe73bNo error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:43.220874071 CET8.8.8.8192.168.2.40x6274No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:51.242897987 CET8.8.8.8192.168.2.40x2680No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:49:58.232973099 CET8.8.8.8192.168.2.40x91bdNo error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)
                                  Nov 24, 2021 01:50:05.240629911 CET8.8.8.8192.168.2.40x383No error (0)john23432.ddns.net185.140.53.160A (IP address)IN (0x0001)

                                  Code Manipulations

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: Purchase Order.exe PID: 6284 Parent PID: 5216

                                  General

                                  Start time:01:47:57
                                  Start date:24/11/2021
                                  Path:C:\Users\user\Desktop\Purchase Order.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Purchase Order.exe"
                                  Imagebase:0x260000
                                  File size:441856 bytes
                                  MD5 hash:C7AC272D4CFD98C9D86BFF3B6C3E89D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.687313055.0000000003639000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.686415706.0000000002631000.00000004.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: powershell.exe PID: 4544 Parent PID: 6284

                                  General

                                  Start time:01:48:06
                                  Start date:24/11/2021
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
                                  Imagebase:0x970000
                                  File size:430592 bytes
                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 6792 Parent PID: 4544

                                  General

                                  Start time:01:48:07
                                  Start date:24/11/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff724c50000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: schtasks.exe PID: 6816 Parent PID: 6284

                                  General

                                  Start time:01:48:07
                                  Start date:24/11/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmp4FFB.tmp
                                  Imagebase:0x2a0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 5664 Parent PID: 6816

                                  General

                                  Start time:01:48:08
                                  Start date:24/11/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff724c50000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: Purchase Order.exe PID: 3416 Parent PID: 6284

                                  General

                                  Start time:01:48:08
                                  Start date:24/11/2021
                                  Path:C:\Users\user\Desktop\Purchase Order.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\Purchase Order.exe
                                  Imagebase:0x4a0000
                                  File size:441856 bytes
                                  MD5 hash:C7AC272D4CFD98C9D86BFF3B6C3E89D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.677601605.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.676727006.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: NanoCore, Description: unknown, Source: 00000009.00000003.885280898.000000000460D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.677116035.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.918566646.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.676067039.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: schtasks.exe PID: 5280 Parent PID: 3416

                                  General

                                  Start time:01:48:16
                                  Start date:24/11/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp65C6.tmp
                                  Imagebase:0x2a0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 7064 Parent PID: 5280

                                  General

                                  Start time:01:48:17
                                  Start date:24/11/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff724c50000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: schtasks.exe PID: 7044 Parent PID: 3416

                                  General

                                  Start time:01:48:18
                                  Start date:24/11/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp6E05.tmp
                                  Imagebase:0x2a0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: Purchase Order.exe PID: 7052 Parent PID: 968

                                  General

                                  Start time:01:48:18
                                  Start date:24/11/2021
                                  Path:C:\Users\user\Desktop\Purchase Order.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Purchase Order.exe" 0
                                  Imagebase:0x610000
                                  File size:441856 bytes
                                  MD5 hash:C7AC272D4CFD98C9D86BFF3B6C3E89D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.726406872.0000000003929000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.722519255.0000000002921000.00000004.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 7072 Parent PID: 7044

                                  General

                                  Start time:01:48:18
                                  Start date:24/11/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff724c50000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: dhcpmon.exe PID: 1440 Parent PID: 968

                                  General

                                  Start time:01:48:20
                                  Start date:24/11/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                  Imagebase:0x280000
                                  File size:441856 bytes
                                  MD5 hash:C7AC272D4CFD98C9D86BFF3B6C3E89D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.715620256.0000000002881000.00000004.00000001.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 20%, ReversingLabs
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: powershell.exe PID: 5684 Parent PID: 7052

                                  General

                                  Start time:01:48:22
                                  Start date:24/11/2021
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
                                  Imagebase:0x970000
                                  File size:430592 bytes
                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 5628 Parent PID: 5684

                                  General

                                  Start time:01:48:23
                                  Start date:24/11/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff724c50000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: schtasks.exe PID: 5712 Parent PID: 7052

                                  General

                                  Start time:01:48:23
                                  Start date:24/11/2021
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HxuauFbNyB" /XML "C:\Users\user\AppData\Local\Temp\tmpAF9F.tmp
                                  Imagebase:0x2a0000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 4240 Parent PID: 5712

                                  General

                                  Start time:01:48:24
                                  Start date:24/11/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff724c50000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: dhcpmon.exe PID: 5248 Parent PID: 3424

                                  General

                                  Start time:01:48:25
                                  Start date:24/11/2021
                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                  Imagebase:0x980000
                                  File size:441856 bytes
                                  MD5 hash:C7AC272D4CFD98C9D86BFF3B6C3E89D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.743570227.0000000003E19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000015.00000002.742127513.0000000002E11000.00000004.00000001.sdmp, Author: Joe Security

                                  Chronological Activities

                                  Analysis Process: Purchase Order.exe PID: 5600 Parent PID: 7052

                                  General

                                  Start time:01:48:25
                                  Start date:24/11/2021
                                  Path:C:\Users\user\Desktop\Purchase Order.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\Purchase Order.exe
                                  Imagebase:0x750000
                                  File size:441856 bytes
                                  MD5 hash:C7AC272D4CFD98C9D86BFF3B6C3E89D8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000016.00000000.714576190.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000016.00000000.715150890.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000016.00000000.715695087.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.737893827.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.740418253.0000000002AF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.740872002.0000000003AF9000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.740872002.0000000003AF9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: NanoCore, Description: unknown, Source: 00000016.00000000.713969209.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                  Chronological Activities

                                  Analysis Process: powershell.exe PID: 4780 Parent PID: 5248

                                  General

                                  Start time:01:48:33
                                  Start date:24/11/2021
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HxuauFbNyB.exe
                                  Imagebase:0x970000
                                  File size:430592 bytes
                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET

                                  Chronological Activities

                                  Disassembly

                                  Code Analysis

                                  Reset < >

                                    Analysis Process: Purchase Order.exe PID: 6284 Parent PID: 5216 Purchase Order.exeCOMMON

                                    Executed Functions

                                    Function 06D50040, Relevance: 3.3, Instructions: 3322COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e0dd532f8ce0b2218a988a63005c3ca24419a593ca572c764170c43e82f1e288
                                    • Instruction ID: bafde35ea87ee3dbc86271e851528edaa06ad519f18ecbdc02674b26e0f13ab9
                                    • Opcode Fuzzy Hash: e0dd532f8ce0b2218a988a63005c3ca24419a593ca572c764170c43e82f1e288
                                    • Instruction Fuzzy Hash: 4573FA34A002198FCF64DF68C888A9DB7B2FF49314F168599E809AB765DB35ED81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 08410040, Relevance: .9, Instructions: 927COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688525403.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1f7c45b0ceb2e6a7f9a6b8dac4cc8c2e1ece0c6b42e6e553887afe1225af7b96
                                    • Instruction ID: c95b9810f10571877933d04930c8c5a87c06c07ec3ff3f6b347018836d92b0ca
                                    • Opcode Fuzzy Hash: 1f7c45b0ceb2e6a7f9a6b8dac4cc8c2e1ece0c6b42e6e553887afe1225af7b96
                                    • Instruction Fuzzy Hash: AAA2F731E106598FCB15EB68C8947EDB7B1FF89304F1482AAD90AA7351EB706E85CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FE1348, Relevance: .3, Instructions: 320COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688490069.0000000006FE0000.00000040.00000010.sdmp, Offset: 06FE0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bee4bf37031dc29940ca263809d7b11fb2e028d6a710229a7737454ccdea1b0b
                                    • Instruction ID: bcc6ff1727d54d82600884dce496739070508e237d8a5ebb654724a88d3a4823
                                    • Opcode Fuzzy Hash: bee4bf37031dc29940ca263809d7b11fb2e028d6a710229a7737454ccdea1b0b
                                    • Instruction Fuzzy Hash: 31C1E671E002158FCB54CFAAD880AAEBFF2BF85304F168469D406AB261DB31ED41CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C2EDB7, Relevance: .2, Instructions: 243COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ccc9d55d44b768a24f13474d6dd1fa433082d8825cc6157f76600ad3759e80f3
                                    • Instruction ID: 9d6805cdfb52c66d9cb2b58e6933914d521541602a1f5179cf0b846223fa9728
                                    • Opcode Fuzzy Hash: ccc9d55d44b768a24f13474d6dd1fa433082d8825cc6157f76600ad3759e80f3
                                    • Instruction Fuzzy Hash: E7C15AB1912B668BD710CF64EC983AD7BA1FB85328F51430BD2656FAE0D7B4104ADF84
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C2BF20, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00C2BF90
                                    • GetCurrentThread.KERNEL32 ref: 00C2BFCD
                                    • GetCurrentProcess.KERNEL32 ref: 00C2C00A
                                    • GetCurrentThreadId.KERNEL32 ref: 00C2C063
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 1bf51cc6461320f79e983fd2314fae8f3fdc8de4c6cdcf5183819b9569fe5e1e
                                    • Instruction ID: 460c31111660778749bb162132c76085c24bb975f775e98b63e713f0057ef6f5
                                    • Opcode Fuzzy Hash: 1bf51cc6461320f79e983fd2314fae8f3fdc8de4c6cdcf5183819b9569fe5e1e
                                    • Instruction Fuzzy Hash: 675187B09007488FDB20CFA9D988BDEBBF0FF48314F20855AE019A7250C7755949CF66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C2BF30, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00C2BF90
                                    • GetCurrentThread.KERNEL32 ref: 00C2BFCD
                                    • GetCurrentProcess.KERNEL32 ref: 00C2C00A
                                    • GetCurrentThreadId.KERNEL32 ref: 00C2C063
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 548955d07bc9dbe5006c842631005f6e64fa68d211bae0216fd91d1221bfdc50
                                    • Instruction ID: deaa5902287806621ee4f07c0cc476218a237f80a90f565836ac49ad1e3fbddb
                                    • Opcode Fuzzy Hash: 548955d07bc9dbe5006c842631005f6e64fa68d211bae0216fd91d1221bfdc50
                                    • Instruction Fuzzy Hash: 695145B0A006499FDB24CFA9DA88BDEBBF0FB48314F208559E019A7250C7759944CF66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06D5BDF0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D5C026
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 798d49b4cc834f692b4c8adfb4000985c756a6e8c297bc2536f0a442a135364d
                                    • Instruction ID: 53925a583ee5a5224a0622dd2bf0d1229aba76b43be6016821242f18078d2846
                                    • Opcode Fuzzy Hash: 798d49b4cc834f692b4c8adfb4000985c756a6e8c297bc2536f0a442a135364d
                                    • Instruction Fuzzy Hash: F5916971D002199FDF50CFA9C8817EEBBB2FF48314F0585AAE809A7680DB759985CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C29C30, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00C29E76
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 25f81e1f6b6914200579122ba37d0cd9b99eae19a35ed3692e76f88d7ead3568
                                    • Instruction ID: f1ea0f514aa3b343578d451c3d9978dad1690ccc2d066c1b0c91e6e58add0e85
                                    • Opcode Fuzzy Hash: 25f81e1f6b6914200579122ba37d0cd9b99eae19a35ed3692e76f88d7ead3568
                                    • Instruction Fuzzy Hash: D9712370A00B158FD724DF6AE08579ABBF1FF88314F10892DE49AD7A50DB74E9098F91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C25375, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00C25431
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 52c9389e03c26a885143a577307e824d2a92cd991c646735d917a97f6609d7aa
                                    • Instruction ID: ae9e4cdc699b64dd4c2d1d01035a31775267fac3394f8ccdce8399ddf4a6a55b
                                    • Opcode Fuzzy Hash: 52c9389e03c26a885143a577307e824d2a92cd991c646735d917a97f6609d7aa
                                    • Instruction Fuzzy Hash: C741F4B1C00628CFDB24DFA9D8847DEFBB5BF89314F20806AD418AB251D7755946CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C23E08, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00C25431
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: c62879df0bebd5502d437422e46a0dc07f3eac17965ccfc93f2d300e800ac675
                                    • Instruction ID: 5ec9ad2e6ec38a2616fe053b1b6486a21dfdd8610ceb3df42e7fab859faabc8a
                                    • Opcode Fuzzy Hash: c62879df0bebd5502d437422e46a0dc07f3eac17965ccfc93f2d300e800ac675
                                    • Instruction Fuzzy Hash: D441F3B1C00628CBDB24DFA9D8847DEFBB5BF88308F208069D418AB251D7756946CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06D5BB68, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D5BBF8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: d8af41037e5e1efbf62fb6d2599479ba0cd696f74a9441f97c1baa927384b20f
                                    • Instruction ID: 48898c9a93ab0a6b48afd2add3f15a96853969567fe2ebd71b61e2979d945152
                                    • Opcode Fuzzy Hash: d8af41037e5e1efbf62fb6d2599479ba0cd696f74a9441f97c1baa927384b20f
                                    • Instruction Fuzzy Hash: AB2115B19003499FCF10CFA9C884BEEBBF5FF48314F00842AE919A7640D7789954CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C2C150, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C2C1DF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 7f34c45427c76776a35ff55094d1f501cf2119af59d5f4616049d4662a62c4f8
                                    • Instruction ID: 841041cc2d9e818820616b1aed343184ce23e444018584451172f4b43bc522f2
                                    • Opcode Fuzzy Hash: 7f34c45427c76776a35ff55094d1f501cf2119af59d5f4616049d4662a62c4f8
                                    • Instruction Fuzzy Hash: 2D2103B59002099FDB10CFA9D884AEEBBF4FB48324F14801AE814A3210C374A954CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06D5BC58, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D5BCD8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: aebe9f029d70a4cf348592d3e90d8eed1d7504e65387867adcf4beffe4e8a8f0
                                    • Instruction ID: 19431d62c5c0994745aaddb6387d332507a923e0d48f1d2f98ff0b12356b219c
                                    • Opcode Fuzzy Hash: aebe9f029d70a4cf348592d3e90d8eed1d7504e65387867adcf4beffe4e8a8f0
                                    • Instruction Fuzzy Hash: C82116B1D003499FCB10CFAAC8847EEBBF5FF48314F10842AE919A7250C7389945CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06D5B9D0, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetThreadContext.KERNELBASE(?,00000000), ref: 06D5BA4E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID: ContextThread
                                    • String ID:
                                    • API String ID: 1591575202-0
                                    • Opcode ID: d9ad8070dbd86ca4d09f9eadd515cfbebf62569f4df25198561b4bc0b5d3a676
                                    • Instruction ID: ddcaf7d590e239468bc5aa364a19d7aa7a54135afc50acc6c5743422c2bba3fd
                                    • Opcode Fuzzy Hash: d9ad8070dbd86ca4d09f9eadd515cfbebf62569f4df25198561b4bc0b5d3a676
                                    • Instruction Fuzzy Hash: 7D214971D003098FDB50CFAAC4847EEBBF5EF48324F14842AD919A7640CB78A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C2C158, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C2C1DF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 3dd47a6fe97f393b937f44dd147b0dc7e2b00808ef3bf0e7cda92836e47eb58c
                                    • Instruction ID: 5f1d096354a32b660844a714c3c647cfd8b149609ba9371c4836f7357af49ebd
                                    • Opcode Fuzzy Hash: 3dd47a6fe97f393b937f44dd147b0dc7e2b00808ef3bf0e7cda92836e47eb58c
                                    • Instruction Fuzzy Hash: 3921F5B5D002089FDB10CF99D884ADEBBF4FB48324F14801AE914B3310D374A954CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C2A090, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C29EF1,00000800,00000000,00000000), ref: 00C2A102
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 64dbb1e561c2c7bc2ac2f9684b1855261ea8afadbea72814f2f60b26a16ebed2
                                    • Instruction ID: ef2b663f5f101187fef49bc273f9aad29a9b63d1b7714384074ba7b42648e8de
                                    • Opcode Fuzzy Hash: 64dbb1e561c2c7bc2ac2f9684b1855261ea8afadbea72814f2f60b26a16ebed2
                                    • Instruction Fuzzy Hash: 70111AB6D002489FDB10CF9AD848ADEFBF5EB48324F05841ED415A7600C775A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C28FA0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C29EF1,00000800,00000000,00000000), ref: 00C2A102
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: ca855fed5e2d3b3d2117390f746d199470c4b0bb2eaaeb657e5e886fb59dfc63
                                    • Instruction ID: 516b80ab48f38e1edeedbd7386e0241fb3fc826546a5ea0e46e7015221b4f2b2
                                    • Opcode Fuzzy Hash: ca855fed5e2d3b3d2117390f746d199470c4b0bb2eaaeb657e5e886fb59dfc63
                                    • Instruction Fuzzy Hash: 431117B19003099FDB10CF9AD484BDEFBF4EB48324F10842ED829A7600C775A945CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06D5BAA8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D5BB16
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 9d3ffd3db6f293844860b442ee6c1d955647475d1223d97ad5f785362cec034d
                                    • Instruction ID: 32bd84841838c8d59a14ebf0880879203b7a14214847f24a00b65c7ffd325acd
                                    • Opcode Fuzzy Hash: 9d3ffd3db6f293844860b442ee6c1d955647475d1223d97ad5f785362cec034d
                                    • Instruction Fuzzy Hash: 611159719002089BCF10DFA9C8447DEBBF5EF48324F10841AD515A7210C7759944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06D5B920, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: ca8377bbaa01757cbf676acd213f2f7870f6ba1e5c0823db02dafae69535edad
                                    • Instruction ID: f1a23518d5619761e5a18b1c98b57344c52e9d2b9a43056c2a8b733ad661ad3e
                                    • Opcode Fuzzy Hash: ca8377bbaa01757cbf676acd213f2f7870f6ba1e5c0823db02dafae69535edad
                                    • Instruction Fuzzy Hash: 87113AB1D003488BDB10DFAAD4547EEFBF5EF88324F14841AD519A7640CB79A944CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C29E10, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00C29E76
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: eef3135468d7a0485020654fdc4adb07a057a851f8c9077c47140b5405ad2a31
                                    • Instruction ID: 7280024567dfb7abfe857c6c5657be8f89213c0cb6dc62c553dec75020ed91a9
                                    • Opcode Fuzzy Hash: eef3135468d7a0485020654fdc4adb07a057a851f8c9077c47140b5405ad2a31
                                    • Instruction Fuzzy Hash: 7D110FB2D006498FDB20CF9AD484ADEFBF4EB88324F11852AD429B7610C378A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FE17DB, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 06FE183D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688490069.0000000006FE0000.00000040.00000010.sdmp, Offset: 06FE0000, based on PE: false
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 8ba9076a49a4c20a81853be80cb72823ba56042c839de678e11d6c4b56501a5e
                                    • Instruction ID: d3bdb91b2e096e557a415177e9a749fb07febe8345b695bdc20e1a18dbeddff4
                                    • Opcode Fuzzy Hash: 8ba9076a49a4c20a81853be80cb72823ba56042c839de678e11d6c4b56501a5e
                                    • Instruction Fuzzy Hash: 4411E0B58006089FDB10CF9AD888BDEBFF8EB48724F14841AE919A7200D374A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FE17E0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,?,?,?), ref: 06FE183D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688490069.0000000006FE0000.00000040.00000010.sdmp, Offset: 06FE0000, based on PE: false
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 1269c782f2447e1272dcb821f3a0010cb9a285896b14b21466a289dac1f46062
                                    • Instruction ID: 24aac5a51ca4aafcc6965b44eba39f54a78aca28d989f5b57609e3c7303635bd
                                    • Opcode Fuzzy Hash: 1269c782f2447e1272dcb821f3a0010cb9a285896b14b21466a289dac1f46062
                                    • Instruction Fuzzy Hash: 6411D3B59003499FDB10DF9AD888BDEBFF8FB48324F14841AD958A7600C375A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A8D01C, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683286303.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 895ae27112db84cb1134681c57c05b04cf01a11fafc4e048acdd56f343137dc3
                                    • Instruction ID: 9c8954b9312f2a6f04a73810244eb94451f888e2562674b0a11761114054583e
                                    • Opcode Fuzzy Hash: 895ae27112db84cb1134681c57c05b04cf01a11fafc4e048acdd56f343137dc3
                                    • Instruction Fuzzy Hash: 4121F271504240EFDB14EF24D9C4B16BB75FB88328F24C969E80A4B386C73AD847CB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A8D1D4, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683286303.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 752fdba1456f85b53f439c1cb7166e1a65fd9e573223f0f14cc772e4341d4d35
                                    • Instruction ID: 6c0ef4cb45c370b51a100181817c1cd791cccb1763dc2c970cdbbf6097787363
                                    • Opcode Fuzzy Hash: 752fdba1456f85b53f439c1cb7166e1a65fd9e573223f0f14cc772e4341d4d35
                                    • Instruction Fuzzy Hash: EB210771504200EFDB01EF54D5C4B56BB75FB84314F24CA6DE8095B386D336D846CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A8D006, Relevance: .1, Instructions: 63COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683286303.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: af57110bf536b665e276df18c3aca065f7cd816b52bc3aef6dd9500828e2b863
                                    • Instruction ID: 10bc2729110f7b59ca63aa89c8e4b3fa2d07f970cef155b66978fb997d22819a
                                    • Opcode Fuzzy Hash: af57110bf536b665e276df18c3aca065f7cd816b52bc3aef6dd9500828e2b863
                                    • Instruction Fuzzy Hash: 95218E754083809FCB02DF24D994B11BF71EB46314F28C5EAD8498B2A7C33A985ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00A8D1CF, Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683286303.0000000000A8D000.00000040.00000001.sdmp, Offset: 00A8D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5bb4153f9a30fdc5044ab1fc0347d89dccf23cf42b6ecc64222b32b3c21c52e9
                                    • Instruction ID: ab777293212d5e66ef0856f51dfa4fc59d0486c1b253e423d1761ee5b71a2e0b
                                    • Opcode Fuzzy Hash: 5bb4153f9a30fdc5044ab1fc0347d89dccf23cf42b6ecc64222b32b3c21c52e9
                                    • Instruction Fuzzy Hash: E611DA75904280DFCB02DF10C6C4B55FBB1FB84324F28C6AED8494B696C33AD85ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 06D5842A, Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: D=u*$UUUU
                                    • API String ID: 0-502288304
                                    • Opcode ID: 2dd829885408f779b6624513663e9aa7fec649b191065bb508d74d47a784a376
                                    • Instruction ID: d63bebfaf7ed673d163eb273fc27646405b0f948fe7647f8eff6ab898d5d6299
                                    • Opcode Fuzzy Hash: 2dd829885408f779b6624513663e9aa7fec649b191065bb508d74d47a784a376
                                    • Instruction Fuzzy Hash: C8515C70E116288FEBA4CB68CD80B8DB7F1BB48314F5482D9D50CE7615DB34AA8ACF54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C2EE10, Relevance: .3, Instructions: 315COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8910521687ddc135c6ce5549b3af69a812ad1384b44fe09660723d7761502001
                                    • Instruction ID: 528e2a1132664d44bedb227e0b6e5deb8ad26612660aee0bdbe1888c2587ce36
                                    • Opcode Fuzzy Hash: 8910521687ddc135c6ce5549b3af69a812ad1384b44fe09660723d7761502001
                                    • Instruction Fuzzy Hash: 4712C1B1513F668BE310CF65EC983AD7BA1B745329B90430BD2692EAF0D7B4114AEF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 084160F0, Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688525403.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2041a8f820cff9608d4ce4fa434e51d2809d69a425a04d1c74992df69b4906b5
                                    • Instruction ID: 716eb97af58151544445b2aa86ccb268b2d40f5550b19240c5af44a68946a361
                                    • Opcode Fuzzy Hash: 2041a8f820cff9608d4ce4fa434e51d2809d69a425a04d1c74992df69b4906b5
                                    • Instruction Fuzzy Hash: 34D10A31D2074A8ADB10EB64D990A9DB7B1FF95300F61DB9AD40977254EBB06AC8CF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C2C9B4, Relevance: .3, Instructions: 265COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e86ee835f60befc1918e9a7fd8b3390754c927032d14b9d1ebb44f808e7ee9fc
                                    • Instruction ID: 93eaeef2eb71b5f7f2d09ab1318d8c633b4e1ea54bf1a85457f21fd2724357cb
                                    • Opcode Fuzzy Hash: e86ee835f60befc1918e9a7fd8b3390754c927032d14b9d1ebb44f808e7ee9fc
                                    • Instruction Fuzzy Hash: 12A18032E00229CFCF05DFB5D8845DEBBB2FF85300B15856AE815BB261EB31A955DB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 08416100, Relevance: .3, Instructions: 264COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688525403.0000000008410000.00000040.00000001.sdmp, Offset: 08410000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7a411c6863ffcc4ed1ef17993a4b3f54535126a5ddd97313f7c10d25e5268189
                                    • Instruction ID: 378afa26a661702207ed9e09b78990f032a6093092e41dec1059902515eccc7e
                                    • Opcode Fuzzy Hash: 7a411c6863ffcc4ed1ef17993a4b3f54535126a5ddd97313f7c10d25e5268189
                                    • Instruction Fuzzy Hash: CCD10830D2074A8ADB10EB64D890A9DB7B1FF95300F61DB9AD40977254EBB06AC8CF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C2EE00, Relevance: .2, Instructions: 228COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.683508293.0000000000C20000.00000040.00000001.sdmp, Offset: 00C20000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9a47f14ed38953ea939bd5c4cc111fca2b5378710192b4e4094fb939f1d68874
                                    • Instruction ID: 1d57af13ef31cd7ed8a1e9b43ef00da54edbf871c0b217c25ba49217926ceb56
                                    • Opcode Fuzzy Hash: 9a47f14ed38953ea939bd5c4cc111fca2b5378710192b4e4094fb939f1d68874
                                    • Instruction Fuzzy Hash: 40C117B1912B668BD710CF64EC983AD7BB1BB85328F51430BD1652FAE4D7B4104ADF84
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06D54630, Relevance: .2, Instructions: 150COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 259cfe05675f10521057347cde3e575c8889b9b913ca08420d24fde1c32ad334
                                    • Instruction ID: c7813f0a001e9c7686b8b90ab51036359466189ec54d59fad12631d9fdb2afaa
                                    • Opcode Fuzzy Hash: 259cfe05675f10521057347cde3e575c8889b9b913ca08420d24fde1c32ad334
                                    • Instruction Fuzzy Hash: 7C516D70A542498FDB44EFB9E4857AE7FF3EBC4308F14C925E0049B268EFB55A059B81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06D54640, Relevance: .1, Instructions: 144COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 11c431f49317893057b5c8d3f228a0677134718ce7c7092c017ebfadf8c6587f
                                    • Instruction ID: 7fa9a01b2022e9725aa5f59cbdb81b275bbce3645533c207cb5b31c78a32beba
                                    • Opcode Fuzzy Hash: 11c431f49317893057b5c8d3f228a0677134718ce7c7092c017ebfadf8c6587f
                                    • Instruction Fuzzy Hash: 09514B70A542098FDB44EFB9E4857AE7FF3EBC4308F14C829E0049B268EF755A059B81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06D54883, Relevance: .1, Instructions: 102COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a11c9202ae61d7adcfb4268eecc714d1ba021abe6ca82050bd7ce231fa970d5b
                                    • Instruction ID: 1bdb86fd1980c6d5cf99c42832b409a869cbe7be0d31ada842ff86a35e4723e7
                                    • Opcode Fuzzy Hash: a11c9202ae61d7adcfb4268eecc714d1ba021abe6ca82050bd7ce231fa970d5b
                                    • Instruction Fuzzy Hash: C14168B1E016589BEB5CCF678D406CEFAF7AFC9300F14C1BA890CAA615EB700546CE55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06D54890, Relevance: .1, Instructions: 95COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688372259.0000000006D50000.00000040.00000001.sdmp, Offset: 06D50000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f46d1f7e9f645e96f7857f6f2cef90d235d583df9271377e8f04e39f9979e52e
                                    • Instruction ID: 3245dcf046c8db1761d80a0c06dfad7f3d677a569eae6bca0639a5d05ab0ad01
                                    • Opcode Fuzzy Hash: f46d1f7e9f645e96f7857f6f2cef90d235d583df9271377e8f04e39f9979e52e
                                    • Instruction Fuzzy Hash: AA4169B1E016588BEB5CCF678D4069EFAF7AFC9300F14C1BA890CAA619DB700546CF55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: Purchase Order.exe PID: 3416 Parent PID: 6284 Purchase Order.exeCOMMON

                                    Executed Functions

                                    Function 028693E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0286962E
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.920155372.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 566c2f706bbb905be71e5cddd4537c5219a66fd58428395100d2f18247059bd0
                                    • Instruction ID: d471f4f58e05b64378cc672b49fca648253174396077a130605826d010ed8092
                                    • Opcode Fuzzy Hash: 566c2f706bbb905be71e5cddd4537c5219a66fd58428395100d2f18247059bd0
                                    • Instruction Fuzzy Hash: 7D712578A00B058FD724DF29D4557AABBF5BF88314F008A2DD48AD7A90E735E849CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0286FBEC, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0286FD0A
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.920155372.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 25716055554a81b7b16399c8645c0f516b9bb60dc0a61f0d40965ae32d0ac9f1
                                    • Instruction ID: 0f9cb8b70de0d80431e5ad21e669d3f035f8e62c9541117c1dc55a9398e00883
                                    • Opcode Fuzzy Hash: 25716055554a81b7b16399c8645c0f516b9bb60dc0a61f0d40965ae32d0ac9f1
                                    • Instruction Fuzzy Hash: 0351C0B5D00309AFDF14CFA9D884ADEBBB1FF48314F24812AE919AB610D774A945CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0286DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0286FD0A
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.920155372.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: fa7501c62fda6b83b3ffcab501f4acaf2049aa921c654d4c908660a20902eaa1
                                    • Instruction ID: 10b7dd2a709eefa14f8928b141e425457a63ac7bbdc0ab1aeba5c60a9c2321ae
                                    • Opcode Fuzzy Hash: fa7501c62fda6b83b3ffcab501f4acaf2049aa921c654d4c908660a20902eaa1
                                    • Instruction Fuzzy Hash: 1951CDB5D00309AFDB14CF99D884ADEBBB5BF48314F24812AE919AB610D774A845CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0286A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0286BCC6,?,?,?,?,?), ref: 0286BD87
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.920155372.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 7bca6b633bda8e7d49c7280ecf1a9adf5c7e5876bd9039c4e17e2d4afd97f648
                                    • Instruction ID: 9ffba7342ed1bfec2f8ee549eccf84982ce489551f31223b9394f47a4b91e8f1
                                    • Opcode Fuzzy Hash: 7bca6b633bda8e7d49c7280ecf1a9adf5c7e5876bd9039c4e17e2d4afd97f648
                                    • Instruction Fuzzy Hash: 7321E4B5900248AFDB10CF99D984AEEBBF4EB48324F14841AE918F7310D378A954CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0286BCF9, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0286BCC6,?,?,?,?,?), ref: 0286BD87
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.920155372.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 27e46f6624ff346a1237a61305165772d54df82aa05435df07d0fab1922f9a5a
                                    • Instruction ID: 5b8712cb6d35fab7f358543ade6af880815a6fd1a94306b6770800e39548965a
                                    • Opcode Fuzzy Hash: 27e46f6624ff346a1237a61305165772d54df82aa05435df07d0fab1922f9a5a
                                    • Instruction Fuzzy Hash: ED21E0B9900208DFDB10CFA9D584AEEBBF5EB48324F14841AE958E7210D778A954CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02868768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028696A9,00000800,00000000,00000000), ref: 028698BA
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.920155372.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 3c99687d4c922f734547b789444eeebce4f14276103012dcfb21c612e740b5a7
                                    • Instruction ID: fa55e07f280433e0d81226b3bc24c83b8118f0f7bf19de2abb5a890f69f6e146
                                    • Opcode Fuzzy Hash: 3c99687d4c922f734547b789444eeebce4f14276103012dcfb21c612e740b5a7
                                    • Instruction Fuzzy Hash: 391103BA9002099FDB10CF9AC448AEEFBF4EB48314F04842ED519B7640C774A945CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0286984B, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028696A9,00000800,00000000,00000000), ref: 028698BA
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.920155372.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 3c1c77f26287b90ce74bcb7932aabd644c0a4643899b549335b780442d23ea5c
                                    • Instruction ID: 994ac4ec0fe604d47c3e6266fd1388c7ce8ffc57c059399fced538cea4173ecb
                                    • Opcode Fuzzy Hash: 3c1c77f26287b90ce74bcb7932aabd644c0a4643899b549335b780442d23ea5c
                                    • Instruction Fuzzy Hash: A111F3BAD002098FDB14CF99D448ADEFBF5EB48314F14842ED529B7640C778A549CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 028695C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0286962E
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.920155372.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 6c9a01e9909fe92049e763d131a101129549105c04912c89036459e89c68aaf2
                                    • Instruction ID: 8317587d8697634a1c14677909f0cd51c80039c5e06a1b9f634249fcd1ad69a6
                                    • Opcode Fuzzy Hash: 6c9a01e9909fe92049e763d131a101129549105c04912c89036459e89c68aaf2
                                    • Instruction Fuzzy Hash: C711E0B9D007498FDB10CF9AD448BDEFBF4EF88224F14842AD429A7641D378A545CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0286DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0286FE28,?,?,?,?), ref: 0286FE9D
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.920155372.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: c6e992dad5bb862043c4c6e4af6ae977f9f09cafe7d0b8911e2bc393e1537c06
                                    • Instruction ID: 9dc520dc5edc7c5c8a0c0fc3c935187117f2fd5c91077f96f721ef14b8aaf8ba
                                    • Opcode Fuzzy Hash: c6e992dad5bb862043c4c6e4af6ae977f9f09cafe7d0b8911e2bc393e1537c06
                                    • Instruction Fuzzy Hash: E81106B59002489FDB10CF99D589BEFBBF8EB48324F10845AEA19B7701C374A944CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0286FE3B, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0286FE28,?,?,?,?), ref: 0286FE9D
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.920155372.0000000002860000.00000040.00000001.sdmp, Offset: 02860000, based on PE: false
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: 6d5c4cc1c0f1bd81844d883acf1d9b8ce0bc6cbef57450cc34e53e1d0fb3fc5c
                                    • Instruction ID: 080dbd9bac65ef69fa904a3be6bd4ef5ec6c7f7a9011202b8a5b60ca1e204200
                                    • Opcode Fuzzy Hash: 6d5c4cc1c0f1bd81844d883acf1d9b8ce0bc6cbef57450cc34e53e1d0fb3fc5c
                                    • Instruction Fuzzy Hash: DB1145B59003098FDB10CF89D589BDEBFF4EB48324F10841AD919A7701C378A945CFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABD4A0, Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.919305180.0000000000ABD000.00000040.00000001.sdmp, Offset: 00ABD000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5a53fb0cbf6e9b1b54569aed58bd88d0063a492c01bc21d85d67aa3bba819134
                                    • Instruction ID: 175e9e15f6ab56c11054191a8f45f356a664312d82a2f54397f8a173c2393ded
                                    • Opcode Fuzzy Hash: 5a53fb0cbf6e9b1b54569aed58bd88d0063a492c01bc21d85d67aa3bba819134
                                    • Instruction Fuzzy Hash: 382125B1504240DFDB15CF14D9C0BA6BF69FB88328F24CA69E9090B247D336D856DBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABD3B4, Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.919305180.0000000000ABD000.00000040.00000001.sdmp, Offset: 00ABD000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 25ff268459641de57337ef77e1526d84df47da7555b0141f3718457354cee78d
                                    • Instruction ID: 45a19b824ab467f603e94a8d88c691e4acecfaa923aee60b0eea9030d485c901
                                    • Opcode Fuzzy Hash: 25ff268459641de57337ef77e1526d84df47da7555b0141f3718457354cee78d
                                    • Instruction Fuzzy Hash: 9B2137B1504240DFDB01CF14D9C0B96BF79FB88324F24C9A9E8094B247D336E856DBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00BDD01C, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.919388327.0000000000BDD000.00000040.00000001.sdmp, Offset: 00BDD000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 00c73007e8c4b4465e2bc202d8de6f615287549cf46558cba7f3965072c6f39c
                                    • Instruction ID: 7bc100527a0b761e425cd1223953d0f07473d734f07e6b4356520514bb9d8a89
                                    • Opcode Fuzzy Hash: 00c73007e8c4b4465e2bc202d8de6f615287549cf46558cba7f3965072c6f39c
                                    • Instruction Fuzzy Hash: DF21D075504240DFDB14DF24D9D4B16FBA5EB88314F24C9AAE8894B346D33AD847CA62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00BDD005, Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.919388327.0000000000BDD000.00000040.00000001.sdmp, Offset: 00BDD000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d3fe249226b88bd41ca0f6437a1dddd229efb18eecc44cf0bdaf6e9af8c70840
                                    • Instruction ID: 68c52dd69ffa4cb88242405aa303032dc534fc2dac5d8dad22747b75ff88ff15
                                    • Opcode Fuzzy Hash: d3fe249226b88bd41ca0f6437a1dddd229efb18eecc44cf0bdaf6e9af8c70840
                                    • Instruction Fuzzy Hash: DF2153755093809FCB12CF24D5A4715BF71EB46314F28C5DBD8898B697C33A984ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABD3AF, Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.919305180.0000000000ABD000.00000040.00000001.sdmp, Offset: 00ABD000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cf6f911b96cd926d5ec4c359b7ca446b582c99ed5d68efd31eb8ad46abb8db7a
                                    • Instruction ID: 693f7ccbc9f8340a73f347a75d11f999648b0f37f5aa9de24c7d4c3df9eeb1b2
                                    • Opcode Fuzzy Hash: cf6f911b96cd926d5ec4c359b7ca446b582c99ed5d68efd31eb8ad46abb8db7a
                                    • Instruction Fuzzy Hash: 4E11D076404280CFCB12CF10D9C4B56BF71FB94324F28C6A9D8490B657C33AE85ACBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ABD49B, Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.919305180.0000000000ABD000.00000040.00000001.sdmp, Offset: 00ABD000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cf6f911b96cd926d5ec4c359b7ca446b582c99ed5d68efd31eb8ad46abb8db7a
                                    • Instruction ID: 2cc627ec5cba9c513c1ad10f6fe73dc76d3c752d946497ba9b463d878b87bf69
                                    • Opcode Fuzzy Hash: cf6f911b96cd926d5ec4c359b7ca446b582c99ed5d68efd31eb8ad46abb8db7a
                                    • Instruction Fuzzy Hash: D611B176504280CFCB12CF14D5C4B56BF71FB84324F2886A9D8050B657C336D85ACBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Analysis Process: Purchase Order.exe PID: 7052 Parent PID: 968 Purchase Order.exeCOMMON

                                    Executed Functions

                                    Function 06FA01A0, Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: $%l$$%l
                                    • API String ID: 0-1113482058
                                    • Opcode ID: dcf7126d5ebe7c82cf9e7c5ec20181abf363641caabaff42cbb084ac7e30c0a6
                                    • Instruction ID: 83a91c6cec8e7ccfcf53e8d0c1ebb859be72a2b01eec65870093727d4dab6a27
                                    • Opcode Fuzzy Hash: dcf7126d5ebe7c82cf9e7c5ec20181abf363641caabaff42cbb084ac7e30c0a6
                                    • Instruction Fuzzy Hash: 73315870B007058BDB28AF69D8A466E77E2EF89714F04847CD50A8F796DF39D906CB84
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA01B0, Relevance: 2.6, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: $%l$$%l
                                    • API String ID: 0-1113482058
                                    • Opcode ID: b93263f1e876c4897c0331139b5958e3763acd4b462145f0dca53c924baa1f7e
                                    • Instruction ID: 94af1d65db5a36e709d196c686ec64666ca44433bcad12e13b12b8eadf2603e3
                                    • Opcode Fuzzy Hash: b93263f1e876c4897c0331139b5958e3763acd4b462145f0dca53c924baa1f7e
                                    • Instruction Fuzzy Hash: CA315870B007058BDB28AF69D8A462E76A2EF89614F04847CD40A8F796CF38E905CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2BDE7, Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05A2C026
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 5b2122fdd6175a892b059111a2f0cba988e996773c96980ae1f2fd74c2f98196
                                    • Instruction ID: cd158a1cf181c28e16b157881166555417641799f07f21689ae22f0f1ac9c988
                                    • Opcode Fuzzy Hash: 5b2122fdd6175a892b059111a2f0cba988e996773c96980ae1f2fd74c2f98196
                                    • Instruction Fuzzy Hash: 17914C71D04629DFDB10CFA9C842BEEBBB2FF48314F048569E819A7250DB749985CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2BDF0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05A2C026
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 06c489eed700bf9c5066191512e8709cbca434e91a1c50b7a3c3f44a6da40c58
                                    • Instruction ID: b695ef4a8385d731e8896b97243bc96ff8a149a1d780b7b4b40ede5a0a82d173
                                    • Opcode Fuzzy Hash: 06c489eed700bf9c5066191512e8709cbca434e91a1c50b7a3c3f44a6da40c58
                                    • Instruction Fuzzy Hash: 4E914C71D04629DFDB10CFA9C842BEEBBB2FF48314F048569E819A7250DB749985CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2BB60, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05A2BBF8
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: ba1827828c0bc6c5ce8e88448d053f1342ea6020215de5d75ce1cce8b9eb091b
                                    • Instruction ID: 60213dc7f5498b08755b98e134cba7b71b0ae8c4fd966c0c36bcd17bde8d75ce
                                    • Opcode Fuzzy Hash: ba1827828c0bc6c5ce8e88448d053f1342ea6020215de5d75ce1cce8b9eb091b
                                    • Instruction Fuzzy Hash: C22126B59003599FDB00CFA9C985BDEBBF5FF48314F10882AE919A7240D7789954CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2BB68, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05A2BBF8
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: 8c91dad7d6a6fb30078f5093cd82b039c1e77eb736c2da35d4e89fdfa6c09298
                                    • Instruction ID: 3b5550b86ea96ce0666fb4f328a6a74ac36e934fa35176a775781749ad3423cd
                                    • Opcode Fuzzy Hash: 8c91dad7d6a6fb30078f5093cd82b039c1e77eb736c2da35d4e89fdfa6c09298
                                    • Instruction Fuzzy Hash: B52119B19003599FDF10CFA9C985BDEBBF5FF48314F10842AE919A7240D778A954CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2B9C8, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetThreadContext.KERNELBASE(?,00000000), ref: 05A2BA4E
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: ContextThread
                                    • String ID:
                                    • API String ID: 1591575202-0
                                    • Opcode ID: eb6401a29b7ba783bcd29dcd8d8862306b6c1167f5c3b91e596b6a3c832315f3
                                    • Instruction ID: a99088cb7e49214fb04717a6c5a155e4ab7f46ee64549da5f043b1b1d7581f74
                                    • Opcode Fuzzy Hash: eb6401a29b7ba783bcd29dcd8d8862306b6c1167f5c3b91e596b6a3c832315f3
                                    • Instruction Fuzzy Hash: C62137B1D003098FDB10CFA9D5857EEBBF4FF48214F14842AD519A7240DB78A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2B9D0, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetThreadContext.KERNELBASE(?,00000000), ref: 05A2BA4E
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: ContextThread
                                    • String ID:
                                    • API String ID: 1591575202-0
                                    • Opcode ID: bb9d12dc3d925560d20a17d668c107af564c1dd1b0ac0e4a3fa2f72d32d09452
                                    • Instruction ID: 97fbd32856f662c6afe50854264e6ddad6a3fe3d7b70aa1f8781c2b901fe9e11
                                    • Opcode Fuzzy Hash: bb9d12dc3d925560d20a17d668c107af564c1dd1b0ac0e4a3fa2f72d32d09452
                                    • Instruction Fuzzy Hash: 792118B1D003198FDB10DFAAD4857EEBBF4FF48214F14842AD559A7240DB78A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2BC50, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A2BCD8
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 088f966550c7ae8d346aebc491e448012b1c40c9b99f8edcf487e25fcc8af273
                                    • Instruction ID: f0fa9481bd5cb2d2ce46d8a51c11d654e1c5b352f5a5f6a498c4a53c4d5851d8
                                    • Opcode Fuzzy Hash: 088f966550c7ae8d346aebc491e448012b1c40c9b99f8edcf487e25fcc8af273
                                    • Instruction Fuzzy Hash: EF2116B1D002199FCB00CFA9D985BEEBBF5FF48314F10882AE519A7240D738A955CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2BC58, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A2BCD8
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 398501ad03ee667d37f5d695fd20c15a99ccd47328eaf6ad430be056a7fdb480
                                    • Instruction ID: 82609c0e3249b1141bca7a82974b2695e731c1b7354b1846bcf1e26ec137a22e
                                    • Opcode Fuzzy Hash: 398501ad03ee667d37f5d695fd20c15a99ccd47328eaf6ad430be056a7fdb480
                                    • Instruction Fuzzy Hash: 3D2128B19003599FCB10CFAAC885BDEBBF5FF48314F10842AE919A7240C738A954CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2BAA0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A2BB16
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: ee1cd245751330d9b59feafc46a16eefccde29b5ed05802049dbdd97f49a7610
                                    • Instruction ID: 2134b6710a797ac6c9060197e8ef801a2ccd2cccf2e7536e412e9b4242c548fe
                                    • Opcode Fuzzy Hash: ee1cd245751330d9b59feafc46a16eefccde29b5ed05802049dbdd97f49a7610
                                    • Instruction Fuzzy Hash: 0F1126B29002099FDF10CFA9D845BEEBBF5BF48324F14881AD525B7250C779A954CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2BAA8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A2BB16
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 148a06444c90d437d3ed328f034c0557e6cc33dcc4af90ab24204093a68e3c49
                                    • Instruction ID: c63ee47517e55098949900bc35f155de9c79e522f22e18da0df1a16790110efa
                                    • Opcode Fuzzy Hash: 148a06444c90d437d3ed328f034c0557e6cc33dcc4af90ab24204093a68e3c49
                                    • Instruction Fuzzy Hash: BB1156719002089BCF10CFAAC844BDFBBF5FF88324F108819E525A7210C739A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2B920, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 1882be4a14d3e2c3c1e254545b0d80c6fd6e3d96387617a10dc7a603e6cc4dd0
                                    • Instruction ID: 4fa64e9fd14d2503573daf784396bfde62b7924133311f4f0f299ba14a192974
                                    • Opcode Fuzzy Hash: 1882be4a14d3e2c3c1e254545b0d80c6fd6e3d96387617a10dc7a603e6cc4dd0
                                    • Instruction Fuzzy Hash: 08113AB1D007488FDB10DFAAD4457DFFBF5AF88224F148419D519A7240CB78A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A2B918, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 4ef1dbf2e771128bcf6d4486e4fc10c10ede63f179997d15e644617e3023a0a0
                                    • Instruction ID: 0dfd92e4b5a615d4eea124a963182cd1dc67a305d8a9079fa9965a4d8898b136
                                    • Opcode Fuzzy Hash: 4ef1dbf2e771128bcf6d4486e4fc10c10ede63f179997d15e644617e3023a0a0
                                    • Instruction Fuzzy Hash: 761128B1D007498FDB10CFA9D5457EEBBF5AF48224F14882AC519B7640CB78A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A23AA0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 05A2FE2D
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.729821272.0000000005A20000.00000040.00000001.sdmp, Offset: 05A20000, based on PE: false
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: 0aea0da3d943643b25f38edb867fe8664092aa07be40971852df1dd4a914887e
                                    • Instruction ID: 62ec7122fdc602e5cdfc5cab81157a3d30b74960848dc7cb7b9670143904bb09
                                    • Opcode Fuzzy Hash: 0aea0da3d943643b25f38edb867fe8664092aa07be40971852df1dd4a914887e
                                    • Instruction Fuzzy Hash: BC11F2B59007599FDB10CF99D489BDEBBF8FB48324F10841AE915A7600D374A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA205B, Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6f6867a1dcf0b857e984e93b97a4f71ba8a9cff7ab260d7f6e97829e150c85ac
                                    • Instruction ID: 87114cc7615b37f606b78a38f723fc24a75f81a423046a510c29e27afa6c614a
                                    • Opcode Fuzzy Hash: 6f6867a1dcf0b857e984e93b97a4f71ba8a9cff7ab260d7f6e97829e150c85ac
                                    • Instruction Fuzzy Hash: FF11E6347097808FC316DB39C8589567FB6AF87204B0980EEE149CB273DB359D06DB11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA0518, Relevance: .1, Instructions: 58COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b6bedad80b4d24f38b05ecbe134e33201c910b88958203d4948de875cfe1c24e
                                    • Instruction ID: 305242cc8ab4908d1bda461b25e2044ae70283b503cc034a0e888d3a4b984a9c
                                    • Opcode Fuzzy Hash: b6bedad80b4d24f38b05ecbe134e33201c910b88958203d4948de875cfe1c24e
                                    • Instruction Fuzzy Hash: EB1129B0E0120ACFCB58DF69D444AAEF7F1AF48218F1585A9D418EB321DB34D901CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA0528, Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 88693a993533de045f140ee9a10fe1f9cad7804f7acbca0e5932e3a0d07736bf
                                    • Instruction ID: e13aef15f9b1145ce7e3ee60a7527c6597e0aae56be37d0128cc3c9cf1fbe48e
                                    • Opcode Fuzzy Hash: 88693a993533de045f140ee9a10fe1f9cad7804f7acbca0e5932e3a0d07736bf
                                    • Instruction Fuzzy Hash: FF01ADB5704710DFE3748B19F98463BBBE6EBC9719B04882EE44686601DF32E80297A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA0AFF, Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4bc968b62065fbf8db2bff2021d73f8e032438475bf7f3e6adac6963e10abe23
                                    • Instruction ID: 3158d52340c3b17bbd17c4725c2a5920ce1db4fc1fa55cb6e61d88d077d7c5e7
                                    • Opcode Fuzzy Hash: 4bc968b62065fbf8db2bff2021d73f8e032438475bf7f3e6adac6963e10abe23
                                    • Instruction Fuzzy Hash: DE11F9B4E01306CFCB58DF69D444AAEFBF1AF49218F1985A9C414EB361DB38D842CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA0AB0, Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3412d0e67961d05e0dda9e9bc9f3a26ddb1f781b6cc579c8e83635952e51dcec
                                    • Instruction ID: ce910c88618008d369b2b7bfce186518c7f641c223061f60bbff795d45a2708f
                                    • Opcode Fuzzy Hash: 3412d0e67961d05e0dda9e9bc9f3a26ddb1f781b6cc579c8e83635952e51dcec
                                    • Instruction Fuzzy Hash: 060152B1F047058FDB84EF69E88579EBBF2AB84208F14C47AC019DB245EF749445CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA2198, Relevance: .0, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6e0ac5c877e71a99975d6f4167132f2fd504505909f3a3e252da72492260df16
                                    • Instruction ID: 08a72fdf22c19d8ce3ec6da2116dbd99abf189e2ec3603866938745450fac914
                                    • Opcode Fuzzy Hash: 6e0ac5c877e71a99975d6f4167132f2fd504505909f3a3e252da72492260df16
                                    • Instruction Fuzzy Hash: 88015770D092989FCB44CFB58848BFDBFF0AB06301F1884AAE454A3291C3744B44DF10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA21A8, Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e5e6df3bd19228dc0b015a0601416ca6e6811d85d141072c0635b6bbd6d0becc
                                    • Instruction ID: 32da890ca8e850e92505452cd4c12e54c57469da2ea3a5697ac1fce859813e14
                                    • Opcode Fuzzy Hash: e5e6df3bd19228dc0b015a0601416ca6e6811d85d141072c0635b6bbd6d0becc
                                    • Instruction Fuzzy Hash: 18011A74D052189FDB44DFA5D808BBDBBF5BB06301F1484AAD429A3290D7744B40DF54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA1FF9, Relevance: .0, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c7bfdbb1c3136d3505dc34677d9f3250096317b013f456c6a88f69d162ed79b7
                                    • Instruction ID: f200d6a88939b8f2f04ef433f72d4a6232bf37d977932fda8808c96890d318ca
                                    • Opcode Fuzzy Hash: c7bfdbb1c3136d3505dc34677d9f3250096317b013f456c6a88f69d162ed79b7
                                    • Instruction Fuzzy Hash: 0FF05EB0E003159FD750DF6A881576BBAF8EF48240F14C4299009E2210EB74D601CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA2008, Relevance: .0, Instructions: 25COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9ddfedc33457a33937cd7db369a94a4e3ea690e604cb0e088cddf681b1706df0
                                    • Instruction ID: 92602e5d5ee6b1176184085f331fdd99bd94326f995e953056334d5ac5fdc734
                                    • Opcode Fuzzy Hash: 9ddfedc33457a33937cd7db369a94a4e3ea690e604cb0e088cddf681b1706df0
                                    • Instruction Fuzzy Hash: 6CE030B0E003159FD750DF6A885476BBEF4BF08200F14C829D009E2210EB718601CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA1768, Relevance: .0, Instructions: 23COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 74d5a1eb2b947865709d062d401ececa01dd54abe8d059b0edd9af5264b279bd
                                    • Instruction ID: 2904c4c247c26c822ced159e447d415fb3928daec6aaa9753cf1acb5e2a79231
                                    • Opcode Fuzzy Hash: 74d5a1eb2b947865709d062d401ececa01dd54abe8d059b0edd9af5264b279bd
                                    • Instruction Fuzzy Hash: E4E0C2B1B04B101BE765DB7EAC00667BBDD9F81614B05C47AA40CD2250DEA8E8004699
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA10F7, Relevance: .0, Instructions: 22COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fb9b8680d84baec7102069017903bf90015a3ab805069c85db09e77b1909a112
                                    • Instruction ID: 800c6b8675518f45b216cb9d41fd6b0ea10db08b1276ae78e1b4fcc330e2c7a5
                                    • Opcode Fuzzy Hash: fb9b8680d84baec7102069017903bf90015a3ab805069c85db09e77b1909a112
                                    • Instruction Fuzzy Hash: A3F065F4D0020AEFD780EFA9C945AAABBF4FF08700F1184AAD009E3310E77896058F81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA1718, Relevance: .0, Instructions: 19COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 02b3211ed0c3cfad5efb3ed7a1f69a8c520538f13ecae75fde10673d422ba4b2
                                    • Instruction ID: 710e93223bc7e339e267c09393c6e61a0d93e2ac4788a5a9883ec7810b70a97e
                                    • Opcode Fuzzy Hash: 02b3211ed0c3cfad5efb3ed7a1f69a8c520538f13ecae75fde10673d422ba4b2
                                    • Instruction Fuzzy Hash: 26E046B0D0030ADFCB80EFA8C50679EBAF0FB08211F41886AE025E6240E7B882058FD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA1778, Relevance: .0, Instructions: 18COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e3899eabcb334b76e9ca857d879628c3805b2f61f23ed9ce88d1c8b43da8fe15
                                    • Instruction ID: fc027e53c82f76d9fb0cc20019d339223d5f710c0c687bb251b023ecb5dab57b
                                    • Opcode Fuzzy Hash: e3899eabcb334b76e9ca857d879628c3805b2f61f23ed9ce88d1c8b43da8fe15
                                    • Instruction Fuzzy Hash: 9ED0A9B1B00B201B62A8E63FAD00837F6CE8EC4A54304C03AA40DC3210DE28E80041A8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA1108, Relevance: .0, Instructions: 18COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ba04ba9ae8e85740484776a5561cc83cab7b1a930910eb0593527f79f1e32df1
                                    • Instruction ID: 84663437d798a84c2fab97f895d2b7b6424df3259a8548ebd77d91d7f1f75c3e
                                    • Opcode Fuzzy Hash: ba04ba9ae8e85740484776a5561cc83cab7b1a930910eb0593527f79f1e32df1
                                    • Instruction Fuzzy Hash: 9DE0B6F5D40209DFD780EFB9C945A6EBBF5BF08600F1185A9D019E7211E77496058F91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA0AC0, Relevance: .0, Instructions: 16COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 32a673cc96f758f4a8d12e64db91e9ff78fb00ae484f79744a888850f5eac6ff
                                    • Instruction ID: 09ac1361c8ec76ee32ed819986a4f431a82727966ce5b2fc7d1fb98fc282a998
                                    • Opcode Fuzzy Hash: 32a673cc96f758f4a8d12e64db91e9ff78fb00ae484f79744a888850f5eac6ff
                                    • Instruction Fuzzy Hash: 49D0ECB0D403099ED780EFB9980176EBAF16B04204F108865C015E2241EBB482008B91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06FA1728, Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000E.00000002.730840676.0000000006FA0000.00000040.00000001.sdmp, Offset: 06FA0000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4acbb9a11641168f738e7f6566af5f30c390c04d4e6681193ad71ca409c5d0d9
                                    • Instruction ID: ff1b71c82afc66f349c3792fdf2f6217707d93991f498c93d91ef6c7b64e91d9
                                    • Opcode Fuzzy Hash: 4acbb9a11641168f738e7f6566af5f30c390c04d4e6681193ad71ca409c5d0d9
                                    • Instruction Fuzzy Hash: 0AD04CB0D443099FDB80EFA9C54575EBBF4BB04210F515965C415E2641E77846448F91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Analysis Process: dhcpmon.exe PID: 1440 Parent PID: 968 dhcpmon.exeCOMMON

                                    Executed Functions

                                    Function 00CEBF20, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00CEBF90
                                    • GetCurrentThread.KERNEL32 ref: 00CEBFCD
                                    • GetCurrentProcess.KERNEL32 ref: 00CEC00A
                                    • GetCurrentThreadId.KERNEL32 ref: 00CEC063
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.714583062.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 808fdc77367e654b426892ceb34324f39801769d9f78274534a2e2576c1b6b37
                                    • Instruction ID: 43c9b4520c3b1b117ee74a03f655e01b2ba074067816c3bf80c19092fe9b33d6
                                    • Opcode Fuzzy Hash: 808fdc77367e654b426892ceb34324f39801769d9f78274534a2e2576c1b6b37
                                    • Instruction Fuzzy Hash: 3D516AB49047458FDB10CFAAD5887EEBBF0EF49314F148459E019B7250D7745984CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CEBF30, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00CEBF90
                                    • GetCurrentThread.KERNEL32 ref: 00CEBFCD
                                    • GetCurrentProcess.KERNEL32 ref: 00CEC00A
                                    • GetCurrentThreadId.KERNEL32 ref: 00CEC063
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.714583062.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 25214de9da2b39372c995a37838b04d594dd6a6304639895e6d5264589ddcbf2
                                    • Instruction ID: fb10cdb7d4d5643a6fcfd75b6e234152f3f77e62dee69484036fd57c3677e968
                                    • Opcode Fuzzy Hash: 25214de9da2b39372c995a37838b04d594dd6a6304639895e6d5264589ddcbf2
                                    • Instruction Fuzzy Hash: AB5137B0900649DFDB14CFAAD688BEEBBF0EF48314F148559E419B7250C7749984CF62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CE9C30, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00CE9E76
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.714583062.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 415e880839caba3acd7dd6ffc533e8b5ea12b29e455f8bb73137628c8dce4a18
                                    • Instruction ID: 7994c2fdff0efe9c3a0b6d63a8ed98ef611b08b2f1802998f8de8b8dea7b0067
                                    • Opcode Fuzzy Hash: 415e880839caba3acd7dd6ffc533e8b5ea12b29e455f8bb73137628c8dce4a18
                                    • Instruction Fuzzy Hash: 85714370A00B458FDB24DF6AD44179ABBF1FF88310F10892DE45AD7A50DB34EA09CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CE5375, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00CE5431
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.714583062.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: a15e6b4590ae090ab5a154b6c2035b2ae6a6af33a117dbfd35f3bbcc4ee21b9e
                                    • Instruction ID: 0c1c6149d4e3004aa88c4812fb7454fde1d0fa7fb7458caac8ff951b3f398388
                                    • Opcode Fuzzy Hash: a15e6b4590ae090ab5a154b6c2035b2ae6a6af33a117dbfd35f3bbcc4ee21b9e
                                    • Instruction Fuzzy Hash: B64106B1C00658CFDB24CFAAC8887DEBBB5BF89308F248069D419BB251D7756946CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CE3E08, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00CE5431
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.714583062.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 6f2c39df02f5c18d2c7eadfcc3369c45d63925b928f9a9425e127db3ac3a8b97
                                    • Instruction ID: 3c2852ae197b53789af075953bd54874dbd4fa8e0f87fc6b7590024b94bd645d
                                    • Opcode Fuzzy Hash: 6f2c39df02f5c18d2c7eadfcc3369c45d63925b928f9a9425e127db3ac3a8b97
                                    • Instruction Fuzzy Hash: 4341E3B1D00658CFDB24CFAAC8487DEBBB5BF48308F148469D419BB251D7756945CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02822D90, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                    Download Yara Rule
                                    APIs
                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 02822E51
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.715463733.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                    Similarity
                                    • API ID: CallProcWindow
                                    • String ID:
                                    • API String ID: 2714655100-0
                                    • Opcode ID: 64ec6d1dea842425f6d7a200afa9abd930a33bb24ae07cc673339f51f58df6ae
                                    • Instruction ID: 3b28631dbde9b97c0beb7b939a4be7aa7515237897f166484110e9dd2053062c
                                    • Opcode Fuzzy Hash: 64ec6d1dea842425f6d7a200afa9abd930a33bb24ae07cc673339f51f58df6ae
                                    • Instruction Fuzzy Hash: B3414AB8A00309CFDB14CF89C448BAABBF5FF88314F158459D519AB325D774A885CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CEC150, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CEC1DF
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.714583062.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: d2b34be4bcaa3d76ad8759f0a987af30111aec3808e503c632e765604a0183d5
                                    • Instruction ID: a7c74c616995cef1a12e6cfed0e3d3fcccb1e488185b3e1ec037fd7097e2bec3
                                    • Opcode Fuzzy Hash: d2b34be4bcaa3d76ad8759f0a987af30111aec3808e503c632e765604a0183d5
                                    • Instruction Fuzzy Hash: 4321E2B59012499FDB10CFA9D884AEEBFF4FF48324F14841AE914A7311C778A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CEC158, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CEC1DF
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.714583062.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 72f6683ba514e5310458226a01aa5bd0b1e50a4357a6729aaa7781a061b587e5
                                    • Instruction ID: f75f890e210f9d2c86b2cf19674d1ecde411b61fd4323f6aebdcf77187ebe5b0
                                    • Opcode Fuzzy Hash: 72f6683ba514e5310458226a01aa5bd0b1e50a4357a6729aaa7781a061b587e5
                                    • Instruction Fuzzy Hash: AA21F3B5901248AFDB10CFAAD884ADEBBF8FF48320F14841AE914B3310D374A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CEA090, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CE9EF1,00000800,00000000,00000000), ref: 00CEA102
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.714583062.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: a18d774766c1e6abba79f3361f9c1f6a06c03760fff970e041a41caf470d7b19
                                    • Instruction ID: 2e22acdbf23aa60612efaa5c4383d3cfe229e55aac3e662de9ce234d8414a54f
                                    • Opcode Fuzzy Hash: a18d774766c1e6abba79f3361f9c1f6a06c03760fff970e041a41caf470d7b19
                                    • Instruction Fuzzy Hash: 211114B6D002499FDB10CF9AD844BDEFBF4EB88324F05842ED429A7200C775A945CFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CE8FA0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CE9EF1,00000800,00000000,00000000), ref: 00CEA102
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.714583062.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 1f74da377984b25341ac72f0c2e55bb82888c6f5c6507f63bf7f8f813a78cdbd
                                    • Instruction ID: 9a5b402c0edc2709b52092b3ce4a373482149cdeef37dd6682d5f0ac2ac186a9
                                    • Opcode Fuzzy Hash: 1f74da377984b25341ac72f0c2e55bb82888c6f5c6507f63bf7f8f813a78cdbd
                                    • Instruction Fuzzy Hash: FF1117B2900248DFCB10CF9AD444BDEFBF4EB48320F10842AD419A7200C374A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CE9E10, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00CE9E76
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.714583062.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 5376a76382369c0d6b12d901b734f81a6ded26178f3fb1b300e108cbaa04f29a
                                    • Instruction ID: 3cce7c977d187605cf8d525513ed5883eb6364f9f74dbb2bf0fdba7e3882e40c
                                    • Opcode Fuzzy Hash: 5376a76382369c0d6b12d901b734f81a6ded26178f3fb1b300e108cbaa04f29a
                                    • Instruction Fuzzy Hash: 1611DFB6D006498FDB20CF9AD444BDEFBF4EB89324F14852AD529B7600C378A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06933A90, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0693CD45
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.726287128.0000000006930000.00000040.00000001.sdmp, Offset: 06930000, based on PE: false
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: f7a4e7cc303ba7bf3c96af7653fac7c82663807437be9cef25875af0da18b75c
                                    • Instruction ID: 3342666ee1ecf704fa6ee8ecde2a72ba97c49eeec56b080e7f650a92ebfdf653
                                    • Opcode Fuzzy Hash: f7a4e7cc303ba7bf3c96af7653fac7c82663807437be9cef25875af0da18b75c
                                    • Instruction Fuzzy Hash: 8711F2B5900749DFDB60CF99D988BDEBBF8EB48324F10881AE515B7600C374A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Analysis Process: dhcpmon.exe PID: 5248 Parent PID: 3424 dhcpmon.exeCOMMON

                                    Executed Functions

                                    Function 0103BF20, Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0103BF90
                                    • GetCurrentThread.KERNEL32 ref: 0103BFCD
                                    • GetCurrentProcess.KERNEL32 ref: 0103C00A
                                    • GetCurrentThreadId.KERNEL32 ref: 0103C063
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.741024623.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: dd04a4a5a42656e145e4ca3e759e1fa274ea330eb0b1e3d6719def0b714ee5b5
                                    • Instruction ID: bf6a34e1462baf41c0008cf916c18aae3235a294aafd3a41c13da45341c4eb91
                                    • Opcode Fuzzy Hash: dd04a4a5a42656e145e4ca3e759e1fa274ea330eb0b1e3d6719def0b714ee5b5
                                    • Instruction Fuzzy Hash: B55166B09006488FEB14CFA9D648BDEBFF1EF89318F20855AE159B7250C7359844CF62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0103BF30, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0103BF90
                                    • GetCurrentThread.KERNEL32 ref: 0103BFCD
                                    • GetCurrentProcess.KERNEL32 ref: 0103C00A
                                    • GetCurrentThreadId.KERNEL32 ref: 0103C063
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.741024623.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 7eca542b0bf249a8679b7c9b102b14abae05ec29c0f3c702853450533bc61332
                                    • Instruction ID: 32e8485f8660f7e9788da7b0261b4ca09edb677a6c58bdb93dc48dbd9f9b3d7f
                                    • Opcode Fuzzy Hash: 7eca542b0bf249a8679b7c9b102b14abae05ec29c0f3c702853450533bc61332
                                    • Instruction Fuzzy Hash: B55155B09006498FEB14CFA9D648BDEBBF4EF89318F20855AE059B7250C7359844CF62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 092201A0, Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: $%l$$%l
                                    • API String ID: 0-1113482058
                                    • Opcode ID: e5cf358fb8aa3b111b9bcc54439cc923e9b079eacfe4a27993e360a38a4a8a93
                                    • Instruction ID: 5f77480437ed588876979758c11a327c115dc0982423ad976f45a0f1bca52993
                                    • Opcode Fuzzy Hash: e5cf358fb8aa3b111b9bcc54439cc923e9b079eacfe4a27993e360a38a4a8a93
                                    • Instruction Fuzzy Hash: CB31BE34B006168BDB25AF75C9A066E77A2AFCA304F04857DD44A8F796CB34DC0ACB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 092201B0, Relevance: 2.6, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID: $%l$$%l
                                    • API String ID: 0-1113482058
                                    • Opcode ID: 25dc722a398c954ebf9cfd3a75d356bc4ed86cd3284adc4af74001fe36ba50cc
                                    • Instruction ID: cbdeb1fd2df5756fb08bb714b288240cf6cabb578c0363d3ea00db740ec85cce
                                    • Opcode Fuzzy Hash: 25dc722a398c954ebf9cfd3a75d356bc4ed86cd3284adc4af74001fe36ba50cc
                                    • Instruction Fuzzy Hash: 4A319F34B006168BDB24EF75C95062E76A2AFC9709F04857DD44A8F795CF34DC0A8B94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06EEBDF0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06EEC026
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.746648179.0000000006EE0000.00000040.00000001.sdmp, Offset: 06EE0000, based on PE: false
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 21e84299ca4c6df1e2dcc5e872cdd8d8da3b1574aaff032e7922b9a27ccb4f28
                                    • Instruction ID: 91dd327cb96d763b817f0a2c0159d30e52efdf0dd5b4fe82da2bfa3765c3f9af
                                    • Opcode Fuzzy Hash: 21e84299ca4c6df1e2dcc5e872cdd8d8da3b1574aaff032e7922b9a27ccb4f28
                                    • Instruction Fuzzy Hash: C1916B71D00319DFDB50CFA8C8817EEBBB2BF48318F1485A9E819A7250DB749985CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01039C30, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01039E76
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.741024623.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: bd14d07c851d1ba6c22271604ed0737acd89f9971608489ca76ec949453d8d5f
                                    • Instruction ID: 05aba03a6033b27e7e183ba8442fac8def9991658313407cadd6157fb0295887
                                    • Opcode Fuzzy Hash: bd14d07c851d1ba6c22271604ed0737acd89f9971608489ca76ec949453d8d5f
                                    • Instruction Fuzzy Hash: 88716570A00B058FDB64DF2AD44579ABBF5BF88308F008A2EE19AD7A50D774E805CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01035375, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 01035431
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.741024623.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 7e73ac4300a0252e4ca87db3dac6252cf38b6b0d96351165082b808087936779
                                    • Instruction ID: 46301664acabf3704e4789db238a1976b8119c248a7aeb5354a70bbdc9c43e2c
                                    • Opcode Fuzzy Hash: 7e73ac4300a0252e4ca87db3dac6252cf38b6b0d96351165082b808087936779
                                    • Instruction Fuzzy Hash: F041F4B1D00618DBDF24CFA9C8447DEBBB5BF89308F208069D449AB251DB756946CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01033E08, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 01035431
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.741024623.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: e0383c48c615b2157a54034d8707b85cd16a82fa0dbde010724f8324a0eb6e85
                                    • Instruction ID: 21120507649c36c2cd91f45c7f58af4a0b18f148e53a7bc0e9cd4140885bc84d
                                    • Opcode Fuzzy Hash: e0383c48c615b2157a54034d8707b85cd16a82fa0dbde010724f8324a0eb6e85
                                    • Instruction Fuzzy Hash: F041C2B1D00618DBDF24CFA9C8487DEBBB9BF89308F208469D449AB251DB756946CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 072777CC, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07278E85,?,?), ref: 07278F37
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.746921478.0000000007270000.00000040.00000001.sdmp, Offset: 07270000, based on PE: false
                                    Similarity
                                    • API ID: DrawText
                                    • String ID:
                                    • API String ID: 2175133113-0
                                    • Opcode ID: 447ed9978faf10d93345aad63eddc966778f939273f9b7c20487ffdecb85a64d
                                    • Instruction ID: aafd3ed63f8692f1621d20121f2e362d286d5f2848cf284ef1ae18c5b1a158e0
                                    • Opcode Fuzzy Hash: 447ed9978faf10d93345aad63eddc966778f939273f9b7c20487ffdecb85a64d
                                    • Instruction Fuzzy Hash: 5C3103B1D1024A9FCB10CF99D884AEEFBF5FF58320F54842AE819A7200C774A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07278E99, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07278E85,?,?), ref: 07278F37
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.746921478.0000000007270000.00000040.00000001.sdmp, Offset: 07270000, based on PE: false
                                    Similarity
                                    • API ID: DrawText
                                    • String ID:
                                    • API String ID: 2175133113-0
                                    • Opcode ID: 8cbbe208e3bd4a11f3fc7812c1bfdf0b4a159c10a840b9c5505850f0959724f3
                                    • Instruction ID: eeaad652fad384a64901be92f4feeaff61ff4352eff1dce3885791e180740115
                                    • Opcode Fuzzy Hash: 8cbbe208e3bd4a11f3fc7812c1bfdf0b4a159c10a840b9c5505850f0959724f3
                                    • Instruction Fuzzy Hash: 3E2112B5D0024A9FCB00CF99D988ADEBBF5FF58320F54842EE819A7610C334A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0103C150, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0103C1DF
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.741024623.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: a6a5c8149cc0ae1935d5d0a1f637ce3f5f4ccadb51889dea8f8af7ae22a504e6
                                    • Instruction ID: f05127832b49dbfc959ed37887eaed44071e88ec53bb0b414bf4df5dd4a2bdaf
                                    • Opcode Fuzzy Hash: a6a5c8149cc0ae1935d5d0a1f637ce3f5f4ccadb51889dea8f8af7ae22a504e6
                                    • Instruction Fuzzy Hash: 232103B5900208AFDB10CFA9D984AEEBFF4EB49320F14841AE954B3310C374A955CF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0103C158, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0103C1DF
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.741024623.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: fa03516072b1543d812b10f0a0493f4a0c17623718390f37497b9ea0bd2f4389
                                    • Instruction ID: 740bb3703ec3b82f4cff2b5f91faa2cd6e864f2b54b73c592f72d6d0e922a6c3
                                    • Opcode Fuzzy Hash: fa03516072b1543d812b10f0a0493f4a0c17623718390f37497b9ea0bd2f4389
                                    • Instruction Fuzzy Hash: 1F21E4B59002089FDB10CFA9D984ADEBBF8EB49320F14841AE914B3310D374A954CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0103A090, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01039EF1,00000800,00000000,00000000), ref: 0103A102
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.741024623.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 5ff20b9593c70f8b58ea9b293d6c65b55fb4eac3b773efe70f753ed8b72e7e1d
                                    • Instruction ID: 61a6e980bbf4dabeaa13516042948e6a4623f5eff0267b8ad92a95e772c65bfd
                                    • Opcode Fuzzy Hash: 5ff20b9593c70f8b58ea9b293d6c65b55fb4eac3b773efe70f753ed8b72e7e1d
                                    • Instruction Fuzzy Hash: 8A1114B6D002488FDB10CFAAD484ADEFBF4EB89310F14842AD559A7600C379A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01038FA0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01039EF1,00000800,00000000,00000000), ref: 0103A102
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.741024623.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 207f4d92e37333e4b1903b3daf6161437b57d1d773665c1434afa8d824ba1acc
                                    • Instruction ID: 573c0c31fab84aa17d7b2e7002b0044e5df0b6d56fa0b049677c418638a4d4bf
                                    • Opcode Fuzzy Hash: 207f4d92e37333e4b1903b3daf6161437b57d1d773665c1434afa8d824ba1acc
                                    • Instruction Fuzzy Hash: 241117B2900208DFDB10CF9AD444ADEFBF8EB89350F00842EE559A7600C375A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 08544058, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 085440B8
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.746982692.0000000008540000.00000040.00000001.sdmp, Offset: 08540000, based on PE: false
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: af34a03ef61bc55b0965f7066aa17d907a40f8889cb71f7532577e08a0d039e5
                                    • Instruction ID: 1b4215b359148d8d10f370cda83ebc611a5b141b36cff47791f8f7af9e68e5fa
                                    • Opcode Fuzzy Hash: af34a03ef61bc55b0965f7066aa17d907a40f8889cb71f7532577e08a0d039e5
                                    • Instruction Fuzzy Hash: 4B1136B68002098FCB10CF99C5487DEBBF0EB48324F14841AD418B7740D738A955CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 06EE3AA0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06EEFE2D
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.746648179.0000000006EE0000.00000040.00000001.sdmp, Offset: 06EE0000, based on PE: false
                                    Similarity
                                    • API ID: MessagePost
                                    • String ID:
                                    • API String ID: 410705778-0
                                    • Opcode ID: a48a875503f84c41c36a779a3e353b0c16b192bf4bc0e66da6bd268e73d8b234
                                    • Instruction ID: 25c555b149d853896ca464032f82a3cdd7a9210263cc8399a685c634857410db
                                    • Opcode Fuzzy Hash: a48a875503f84c41c36a779a3e353b0c16b192bf4bc0e66da6bd268e73d8b234
                                    • Instruction Fuzzy Hash: 9C1130B59007089FDB60CF89D888BDEBBF8EB48324F10841AE818A7600C374A944CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 01039E10, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01039E76
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.741024623.0000000001030000.00000040.00000001.sdmp, Offset: 01030000, based on PE: false
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: e37569c100b9ac1481698f90a0eae87f249a3e1c787c58e7e98a7b5102946968
                                    • Instruction ID: 55e0a6d3e01c40d1d146779040bc91cc42491307d7db740a6487c445a37f0a2f
                                    • Opcode Fuzzy Hash: e37569c100b9ac1481698f90a0eae87f249a3e1c787c58e7e98a7b5102946968
                                    • Instruction Fuzzy Hash: 4E110FB2C006498FDB10CF9AD444ADEFBF8EB89324F10842AD469B7600C378A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 08544060, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 085440B8
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.746982692.0000000008540000.00000040.00000001.sdmp, Offset: 08540000, based on PE: false
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: 61f15beb338e0f45b1cc3e63ddf85772e5c1155762b4dafbdff36783de8b030e
                                    • Instruction ID: e361fa76bac3bac20b5fe458c573f16d2fbf34a333d56f10fc3aa3eebfd215c2
                                    • Opcode Fuzzy Hash: 61f15beb338e0f45b1cc3e63ddf85772e5c1155762b4dafbdff36783de8b030e
                                    • Instruction Fuzzy Hash: 831145B28002098FCB10CF99C448BDEBBF4EF48324F10842AD918A7740C738A955CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F9D4C4, Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.740853342.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 260084d5bf3bd6e78c510abadd77a28b6e38a40955c3d84412813e1f33bd77d5
                                    • Instruction ID: b5c184f47b5d7f4002ab722725502f8575cdca1eed0cc1035b48422bee46a627
                                    • Opcode Fuzzy Hash: 260084d5bf3bd6e78c510abadd77a28b6e38a40955c3d84412813e1f33bd77d5
                                    • Instruction Fuzzy Hash: D0213772904240DFEF15DF14D9C0B26BF65FB88328F39C569E9054B246C336D856EBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00FAD01C, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.740903967.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 87955a69b03fa97370603964b93d7c5a73826815eff62ba10965690716c52bcb
                                    • Instruction ID: 5be29a59b16025ab6b7821d9e4cd30bb2b5f28d93cb4fc19eb756ad1dd2b492a
                                    • Opcode Fuzzy Hash: 87955a69b03fa97370603964b93d7c5a73826815eff62ba10965690716c52bcb
                                    • Instruction Fuzzy Hash: 142104B5504240DFDB14CF24D9C4B16BB65FB89328F24C96DE80A4B74AC73AD847EA62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00FAD1D4, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.740903967.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c9e3a85e51d22d1ad91bfd4f913b06f78a04c8e27e34e4312b418b5c385c8672
                                    • Instruction ID: 37232534205dda55ff99cd9d246586daa3fdc8e20744e56dd0870af68853b302
                                    • Opcode Fuzzy Hash: c9e3a85e51d22d1ad91bfd4f913b06f78a04c8e27e34e4312b418b5c385c8672
                                    • Instruction Fuzzy Hash: 162129B1904200DFDB05CF54D9C4B26BBA5FB85324F24C96DE80A4B746C73AD846EB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00FAD005, Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.740903967.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f1ba44f2be1f167d2e66992457f5cf080b792b5382ee6c50a8dd86dfa5ed697e
                                    • Instruction ID: f12b4f32a52663966dd7898d4bbbdf36c9dde6def402a659b8efcf2e40398803
                                    • Opcode Fuzzy Hash: f1ba44f2be1f167d2e66992457f5cf080b792b5382ee6c50a8dd86dfa5ed697e
                                    • Instruction Fuzzy Hash: C92180755093C08FCB02CF20D994715BF71EB46324F28C5EAD8498F697C33A980ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 09220518, Relevance: .1, Instructions: 58COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 17739273ede4d45a8a879c673b54d7bf20fc601ed6ed6758b8dc078d830578bf
                                    • Instruction ID: f6997fd350e00365256f1e6fd188e2d0d741ba655767aaf69f47d9adb8bca97a
                                    • Opcode Fuzzy Hash: 17739273ede4d45a8a879c673b54d7bf20fc601ed6ed6758b8dc078d830578bf
                                    • Instruction Fuzzy Hash: 3E113770E5122ADFCB28DF69C444AAEF7F1AF48314F55C4AAD818AB321D778D901CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0922205B, Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b4540928003ca7f99cc7120f67895b2b4d2814367e999752ddd55eb00672376b
                                    • Instruction ID: c2792f3b8c86a98d4ad01dfde33ebf55cae26d391fa66a00a9aa59bc2ee1a00b
                                    • Opcode Fuzzy Hash: b4540928003ca7f99cc7120f67895b2b4d2814367e999752ddd55eb00672376b
                                    • Instruction Fuzzy Hash: 7E11D034619380DFC316DF39C858A957FB2EF86204B0981EAE149CB673CB3A9906CB11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 09220AFF, Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d86ef3f8dd1610ec510420e9f6acee0b6450675c493c932ed407a91f58095eaa
                                    • Instruction ID: c2a967049b450f26193a5092bfed1c36327abb475ddb0a01b7cbdacb1518b2aa
                                    • Opcode Fuzzy Hash: d86ef3f8dd1610ec510420e9f6acee0b6450675c493c932ed407a91f58095eaa
                                    • Instruction Fuzzy Hash: 36113A74E51256DFDB29DF69C444AAEBBF1AF48308F1484A9D418AB721D738D842CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F9D4BF, Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.740853342.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cf6f911b96cd926d5ec4c359b7ca446b582c99ed5d68efd31eb8ad46abb8db7a
                                    • Instruction ID: 2b2d4d45db060e8738a182acb427623b209c0585e785c6ec0db45c85869483e6
                                    • Opcode Fuzzy Hash: cf6f911b96cd926d5ec4c359b7ca446b582c99ed5d68efd31eb8ad46abb8db7a
                                    • Instruction Fuzzy Hash: 3311B176804280CFDF15CF10D5C4B16BF71FB84324F28C6A9D8454B656C336D85ADBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 09220528, Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0acea44fcaee2e05a6c4a9dc622011e7ea91dd3a2f5fa2d90d033d02bc377d97
                                    • Instruction ID: fcb1351263449e2e0dbad5c919c256166cd298fb8cee88128e34c2d21eab501f
                                    • Opcode Fuzzy Hash: 0acea44fcaee2e05a6c4a9dc622011e7ea91dd3a2f5fa2d90d033d02bc377d97
                                    • Instruction Fuzzy Hash: 4201A170B64664EBC3389F19F548637BBE6EFC8710B04881DE4468A601DB71EC818B61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 09222158, Relevance: .1, Instructions: 54COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5c704c87c42700c1d9fa83ed4d2e9417e74c0229cfb0eecc6d88b711be15d17c
                                    • Instruction ID: 6bc4834e72be51bb171557e13a53cb9c5ba4a9f61f56c81b3fd5b7d6cd8fbe16
                                    • Opcode Fuzzy Hash: 5c704c87c42700c1d9fa83ed4d2e9417e74c0229cfb0eecc6d88b711be15d17c
                                    • Instruction Fuzzy Hash: E5112675A19362EFCB058F61D848BFDBBF1AF47301F0840E6E055A72A2CA7A4A05CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00FAD1CF, Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.740903967.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5bb4153f9a30fdc5044ab1fc0347d89dccf23cf42b6ecc64222b32b3c21c52e9
                                    • Instruction ID: f81918104de9b3c869d0c79ebadb7747ac14d608e232c9d609e065673294afc8
                                    • Opcode Fuzzy Hash: 5bb4153f9a30fdc5044ab1fc0347d89dccf23cf42b6ecc64222b32b3c21c52e9
                                    • Instruction Fuzzy Hash: 961190B5904280DFCB15CF10D5C4B15FBB1FB85324F28C6ADD8494B656C33AD85ADB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 09222198, Relevance: .0, Instructions: 46COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9c17f57644bbf389a033c06271346bd4a6f013905f19046da92ac1128c693729
                                    • Instruction ID: 4c9437a30fa9e21aee92873766c5ddeaf9b6b75e36d4bb822747c54935ad1011
                                    • Opcode Fuzzy Hash: 9c17f57644bbf389a033c06271346bd4a6f013905f19046da92ac1128c693729
                                    • Instruction Fuzzy Hash: 1E015B70D15269DFCB05DFB48858BFDBFB0AB06301F0485AAE465A3291C7B54A44DF14
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F9D651, Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.740853342.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 087ba808878b9d6849f2441344a837b4f903fb65224d9cdf19e74e316c08d4ea
                                    • Instruction ID: d94734ea0a261cfab80d29e3a77fcac56d5c45d948d5a2b30eb94144c2f05372
                                    • Opcode Fuzzy Hash: 087ba808878b9d6849f2441344a837b4f903fb65224d9cdf19e74e316c08d4ea
                                    • Instruction Fuzzy Hash: DF01F272408344ABFB108E25CC84B66BF98EF41378F28841AEE0C5B242C7789844EAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 092221A8, Relevance: .0, Instructions: 42COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3455b4834fc1f9cc68e02a8622b4734ee3ecd4c1c5ecb79c3f8113fd8222f883
                                    • Instruction ID: 44045f6156cc5801f2c15ee78eaecf176d0fd36e8cb49e84920208aa18beac82
                                    • Opcode Fuzzy Hash: 3455b4834fc1f9cc68e02a8622b4734ee3ecd4c1c5ecb79c3f8113fd8222f883
                                    • Instruction Fuzzy Hash: F4015A30D04229EFCB04DFA5C808BFEBBF0AB06301F0484AAE428A3291D7744A40DF54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F9D650, Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.740853342.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 232bafa105824b0f79b546dea255ae9e3bd9b1f3a0f026f6e972588da25cdc64
                                    • Instruction ID: ba0a3a166ae8ba61c947bdb39c024cefcae03484b5b294715055627eb53218ec
                                    • Opcode Fuzzy Hash: 232bafa105824b0f79b546dea255ae9e3bd9b1f3a0f026f6e972588da25cdc64
                                    • Instruction Fuzzy Hash: 0BF06272408244AEFB508E15CD88B66FF98EB51774F18C45AED085B692C3799844DAB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 09221768, Relevance: .0, Instructions: 25COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f0a6ceee215fdccd3cddd5ca697da6a81e9b7ec625252ed3a1cd854c424183e6
                                    • Instruction ID: 9d3aa4e5960d3fd7ab41351eb40d16c76387421d8255837bc0f8fa837b64e2c5
                                    • Opcode Fuzzy Hash: f0a6ceee215fdccd3cddd5ca697da6a81e9b7ec625252ed3a1cd854c424183e6
                                    • Instruction Fuzzy Hash: B2E02BE2B55B506AD727CE799E414B3BFD95EC7A04308C4BBE40DCB121DD3498116272
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 09221778, Relevance: .0, Instructions: 18COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.747355299.0000000009220000.00000040.00000001.sdmp, Offset: 09220000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6a2fe07121d61bdc10313a785d2ac92d506432a0bd02b63586170be659a63233
                                    • Instruction ID: eb1eb67fd0f64f67f83eac29bca9824a22f7f3dff28e6d3b958db093d45d3e57
                                    • Opcode Fuzzy Hash: 6a2fe07121d61bdc10313a785d2ac92d506432a0bd02b63586170be659a63233
                                    • Instruction Fuzzy Hash: 40D0A921760B20266228EA3FAA00837F6CE9EC8950304C03AA40DC3210DE28E80001A4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions