Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ozT6Kif37P9Trrb.exe

Overview

General Information

Sample Name:ozT6Kif37P9Trrb.exe
Analysis ID:553225
MD5:0e66d7d3cea736262ae210aaaa00eeb5
SHA1:94393bb0ad4eeb3f818e34f57395642920920bb8
SHA256:52c280a9e1df79b39d176d673ebda000c46d89eab1477eae5b1a62f4ab8373bb
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to detect virtual machines (SGDT)

Classification

Process Tree

  • System is w10x64
  • ozT6Kif37P9Trrb.exe (PID: 7104 cmdline: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" MD5: 0E66D7D3CEA736262AE210AAAA00EEB5)
    • powershell.exe (PID: 5996 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5528 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 1852 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • schtasks.exe (PID: 6780 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp732D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6928 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7AFE.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 6852 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5048 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5324 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fea2b910-0578-480b-a4fe-76b7fc47", "Group": "Phaddy", "Domain1": "obeyice4rm392.bounceme.net", "Domain2": "127.0.0.1", "Port": 8951, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.0.RegSvcs.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      9.0.RegSvcs.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      9.0.RegSvcs.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        9.0.RegSvcs.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        0.2.ozT6Kif37P9Trrb.exe.2f37814.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Click to see the 31 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" , ParentImage: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe, ParentProcessId: 7104, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" , ParentImage: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe, ParentProcessId: 7104, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp, ProcessId: 5528
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" , ParentImage: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe, ParentProcessId: 7104, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, ProcessId: 5996
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" , ParentImage: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe, ParentProcessId: 7104, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe" , ParentImage: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe, ParentProcessId: 7104, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe, ProcessId: 5996
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866390590775293.5996.DefaultAppDomain.powershell

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 9.0.RegSvcs.exe.400000.3.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fea2b910-0578-480b-a4fe-76b7fc47", "Group": "Phaddy", "Domain1": "obeyice4rm392.bounceme.net", "Domain2": "127.0.0.1", "Port": 8951, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Antivirus detection for URL or domainShow sources
          Source: obeyice4rm392.bounceme.netAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: obeyice4rm392.bounceme.netVirustotal: Detection: 8%Perma Link
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTR
          Machine Learning detection for sampleShow sources
          Source: ozT6Kif37P9Trrb.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\cVaRnofAle.exeJoe Sandbox ML: detected
          Source: 9.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: ozT6Kif37P9Trrb.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: ozT6Kif37P9Trrb.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: PrincipalPoli.pdbX source: ozT6Kif37P9Trrb.exe, cVaRnofAle.exe.0.dr
          Source: Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000012.00000002.720535439.00000000006C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000015.00000002.727526357.0000000000472000.00000002.00020000.sdmp, dhcpmon.exe.9.dr
          Source: Binary string: PrincipalPoli.pdb source: ozT6Kif37P9Trrb.exe, cVaRnofAle.exe.0.dr
          Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 00000015.00000002.727526357.0000000000472000.00000002.00020000.sdmp, dhcpmon.exe.9.dr

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49772 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49801 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49808 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49814 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49816 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49839 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49840 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49842 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49846 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49847 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49848 -> 103.153.78.234:8951
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49849 -> 103.153.78.234:8951
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: obeyice4rm392.bounceme.net
          Source: Malware configuration extractorURLs: 127.0.0.1
          Source: Joe Sandbox ViewASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK
          Source: global trafficTCP traffic: 192.168.2.4:49766 -> 103.153.78.234:8951
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.WT
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.674273693.0000000005E1D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.676299635.0000000005E1D000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.676356782.0000000005E1D000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.676241303.0000000005E1D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669768390.0000000005DE4000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669873038.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669801024.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669839912.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669746478.0000000005DE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669768390.0000000005DE4000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669873038.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669801024.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669839912.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669746478.0000000005DE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-r
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.678112968.0000000005E17000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.678175914.0000000005E17000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: unknownDNS traffic detected: queries for: obeyice4rm392.bounceme.net

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTR

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: ozT6Kif37P9Trrb.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeCode function: 0_2_090D10A50_2_090D10A5
          Source: ozT6Kif37P9Trrb.exeBinary or memory string: OriginalFilename vs ozT6Kif37P9Trrb.exe
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702006358.0000000000AD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePrincipalPoli.exe0 vs ozT6Kif37P9Trrb.exe
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs ozT6Kif37P9Trrb.exe
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.706836015.0000000008E80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs ozT6Kif37P9Trrb.exe
          Source: ozT6Kif37P9Trrb.exeBinary or memory string: OriginalFilenamePrincipalPoli.exe0 vs ozT6Kif37P9Trrb.exe
          Source: ozT6Kif37P9Trrb.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: cVaRnofAle.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile read: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeJump to behavior
          Source: ozT6Kif37P9Trrb.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe "C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe"
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp732D.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7AFE.tmp
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exeJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmpJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp732D.tmpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7AFE.tmpJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile created: C:\Users\user\AppData\Roaming\cVaRnofAle.exeJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1CD0.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@21/22@16/2
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMutant created: \Sessions\1\BaseNamedObjects\maZUnAb
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:588:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fea2b910-0578-480b-a4fe-76b7fc47c575}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: ozT6Kif37P9Trrb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: ozT6Kif37P9Trrb.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: ozT6Kif37P9Trrb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: PrincipalPoli.pdbX source: ozT6Kif37P9Trrb.exe, cVaRnofAle.exe.0.dr
          Source: Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000012.00000002.720535439.00000000006C2000.00000002.00020000.sdmp, dhcpmon.exe, 00000015.00000002.727526357.0000000000472000.00000002.00020000.sdmp, dhcpmon.exe.9.dr
          Source: Binary string: PrincipalPoli.pdb source: ozT6Kif37P9Trrb.exe, cVaRnofAle.exe.0.dr
          Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe, 00000015.00000002.727526357.0000000000472000.00000002.00020000.sdmp, dhcpmon.exe.9.dr

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: ozT6Kif37P9Trrb.exe, yA/L2.cs.Net Code: XY System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: cVaRnofAle.exe.0.dr, yA/L2.cs.Net Code: XY System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.ozT6Kif37P9Trrb.exe.ad0000.0.unpack, yA/L2.cs.Net Code: XY System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.ozT6Kif37P9Trrb.exe.ad0000.0.unpack, yA/L2.cs.Net Code: XY System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: ozT6Kif37P9Trrb.exe, yA/L2.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable283, null, null)
          Source: cVaRnofAle.exe.0.dr, yA/L2.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable283, null, null)
          Source: 0.2.ozT6Kif37P9Trrb.exe.ad0000.0.unpack, yA/L2.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable283, null, null)
          Source: 0.0.ozT6Kif37P9Trrb.exe.ad0000.0.unpack, yA/L2.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable283, null, null)
          Source: initial sampleStatic PE information: section name: .text entropy: 7.20366769092
          Source: initial sampleStatic PE information: section name: .text entropy: 7.20366769092
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.0.RegSvcs.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.0.RegSvcs.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.0.RegSvcs.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.0.RegSvcs.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.0.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeFile created: C:\Users\user\AppData\Roaming\cVaRnofAle.exeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.2f37814.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.2f2f808.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe TID: 7108Thread sleep time: -40611s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe TID: 7148Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5572Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6500Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4184Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6243Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2377Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4182Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5286Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 630Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 695Jump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeCode function: 0_2_00AD573E sgdt fword ptr [eax]0_2_00AD573E
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeThread delayed: delay time: 40611Jump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: cVaRnofAle.exe.0.drBinary or memory string: PrincipalPoliCompilationRelaxationsAttributeSystem.Runtime.CompilerServicesmscorlib.ctorVoidSystemInt32BooleanRuntimeCompatibilityAttributeDebuggableAttributeSystem.DiagnosticsDebuggingModesAssemblyTitleAttributeSystem.ReflectionStringAssemblyDescriptionAttributeAssemblyConfigurationAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeComVisibleAttributeSystem.Runtime.InteropServicesGuidAttributeAssemblyFileVersionAttributeTargetFrameworkAttributeSystem.Runtime.VersioningPrincipalPoli.exe<Module>MXxLObjectdjk9pqWGEnumL2yAFormSystem.Windows.FormsUekDt6iJUmypnRCnVMcIResourcesBlaster.PropertiesSettingsApplicationSettingsBaseSystem.ConfigurationJZcUqSkWOQhbgylhwtrPDVnEeCuvC5uONullable`1 ToStringConcatget_HasValueEmptyget_ValueFormatIsNullOrEmptyInvalidEnumArgumentExceptionSystem.ComponentModeloZQWvalue__Y3v1cBsKIContainers0TypeKlSplitContainerguListBoxn7ButtonXTKsowecHrLabelkiVadxt8hHSzcX4TextBoxuXXRXLLXjComboBoxqX9EXqTXGget_ItemsObjectCollectionAddListControlset_SelectedIndexEventArgsClearget_SelectedItemControlset_EnabledTrimTryParseget_Countget_Itemget_Textget_SelectedIndexRemoveAtExceptionParseMessageBoxShowDialogResultget_MessageFormatExceptionsfzgOdukGetTypeFromHandleRuntimeTypeHandleop_EqualityGetTypeDisposeIDisposableSNList`1System.Collections.GenericByteBitmapSystem.DrawingColorPointset_Locationset_NameSizeset_Sizeset_TabIndexset_AnchorAnchorStylesButtonBaseset_UseVisualStyleBackColorset_AutoSizeGetPixelset_Textget_Panel2SplitterPanelget_ControlsControlCollectionEventHandlerIntPtradd_Clickget_Panel1ResumeLayoutPerformLayoutLateBindingMicrosoft.VisualBasic.CompilerServicesMicrosoft.VisualBasicLateGetadd_SelectedIndexChangedContainerControlset_AutoScaleModeAutoScaleModeset_ClientSizeSizeFSingleset_AutoScaleDimensionsSuspendLayoutColorTranslatorToWin32LateCallset_FormattingEnabledToArrayset_DockDockStyleset_SplitterDistancefFAssemblyXYLoadKoGetTypessHl1uXACX2ComponentResourceManagerResourceManagerSystem.ResourcesGetObjectIconset_IcondMGcCX6jXJrXmBXpvXeCloseJXDIhRXvXnmXMdXokX3eXRpKMnGXyfXhQXtzXIsXZArgumentOutOfRangeExceptionKXUNXSWXWUXQEnumeratorGetEnumeratorget_CurrentMoveNextUXblSAveXPApplicationSetCompatibleTextRenderingDefaultRunEnableVisualStylessqm9hXkfXNCultureInfoSystem.GlobalizationqXVget_AssemblyQXCiXvjXOTXgIpGedXEVX5defaultInstanceget_Default.cctorSettingsBaseSynchronizedtVPDDefaultArgumentExceptionPEJdLjsbpRntjwXgxYEBp3HLsxMfn4yA.L2.resourceskD.Ue.resourcesiJ.t6.resourcesBlaster.Properties.Resources.resourcesCompilerGeneratedAttributeDebuggerBrowsableAttributeDebuggerBrowsableStateSTAThreadAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDebuggerNonUserCodeAttributeEditorBrowsableAttributeEditorBrowsableState
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000Jump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000Jump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8D8008Jump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exeJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exeJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmpJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp732D.tmpJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7AFE.tmpJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
          Source: C:\Users\user\Desktop\ozT6Kif37P9Trrb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTR

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: ozT6Kif37P9Trrb.exe, 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: RegSvcs.exe, 00000009.00000003.738687606.00000000063A1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: RegSvcs.exe, 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.401a340.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ozT6Kif37P9Trrb.exe.3fe7720.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ozT6Kif37P9Trrb.exe PID: 7104, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1852, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection211Masquerading2OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection211NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 553225 Sample: ozT6Kif37P9Trrb.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 58 obeyice4rm392.bounceme.net 2->58 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 15 other signatures 2->70 9 ozT6Kif37P9Trrb.exe 7 2->9         started        13 RegSvcs.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\cVaRnofAle.exe, PE32 9->50 dropped 52 C:\Users\...\cVaRnofAle.exe:Zone.Identifier, ASCII 9->52 dropped 54 C:\Users\user\AppData\Local\...\tmp1CD0.tmp, XML 9->54 dropped 56 C:\Users\user\...\ozT6Kif37P9Trrb.exe.log, ASCII 9->56 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 9->74 76 Writes to foreign memory regions 9->76 78 Adds a directory exclusion to Windows Defender 9->78 80 Injects a PE file into a foreign processes 9->80 19 RegSvcs.exe 1 15 9->19         started        24 powershell.exe 25 9->24         started        26 schtasks.exe 1 9->26         started        28 conhost.exe 13->28         started        30 conhost.exe 15->30         started        32 conhost.exe 17->32         started        signatures6 process7 dnsIp8 60 obeyice4rm392.bounceme.net 103.153.78.234, 49766, 49769, 49770 TWIDC-AS-APTWIDCLimitedHK unknown 19->60 62 192.168.2.1 unknown unknown 19->62 46 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->46 dropped 48 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->48 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->72 34 schtasks.exe 1 19->34         started        36 schtasks.exe 19->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        file9 signatures10 process11 process12 42 conhost.exe 34->42         started        44 conhost.exe 36->44         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ozT6Kif37P9Trrb.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\cVaRnofAle.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          9.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          9.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          9.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          9.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          SourceDetectionScannerLabelLink
          obeyice4rm392.bounceme.net9%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.carterandcone.como.WT0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnu-r0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cno.0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          obeyice4rm392.bounceme.net100%Avira URL Cloudmalware
          127.0.0.10%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          obeyice4rm392.bounceme.net
          		103.153.78.234
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          obeyice4rm392.bounceme.nettrue
          • Avira URL Cloud: malware
          		unknown
          127.0.0.1true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                		high
                http://www.galapagosdesign.com/ozT6Kif37P9Trrb.exe, 00000000.00000003.678112968.0000000005E17000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.678175914.0000000005E17000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/?ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.carterandcone.como.WTozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cnu-rozT6Kif37P9Trrb.exe, 00000000.00000003.669768390.0000000005DE4000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669873038.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669801024.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669839912.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669746478.0000000005DE4000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.tiro.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cTheozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnozT6Kif37P9Trrb.exe, 00000000.00000003.669768390.0000000005DE4000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669873038.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669801024.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669974599.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669895684.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669839912.0000000005DE7000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.669746478.0000000005DE4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.htmlozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/cabarga.htmlozT6Kif37P9Trrb.exe, 00000000.00000003.676299635.0000000005E1D000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.676356782.0000000005E1D000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000003.676241303.0000000005E1D000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cno.ozT6Kif37P9Trrb.exe, 00000000.00000003.669944224.0000000005DE6000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8ozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fonts.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameozT6Kif37P9Trrb.exe, 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, ozT6Kif37P9Trrb.exe, 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sakkal.comozT6Kif37P9Trrb.exe, 00000000.00000002.706371935.00000000070F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/ozT6Kif37P9Trrb.exe, 00000000.00000003.674273693.0000000005E1D000.00000004.00000001.sdmpfalse
                                    		high

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    103.153.78.234
                                    		obeyice4rm392.bounceme.netunknown
                                    		134687TWIDC-AS-APTWIDCLimitedHKtrue

                                    Private

                                    IP
                                    192.168.2.1

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:553225
                                    Start date:14.01.2022
                                    Start time:14:03:12
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 10m 18s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:ozT6Kif37P9Trrb.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:31
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@21/22@16/2
                                    EGA Information:
                                    • Successful, ratio: 75%
                                    HDC Information:
                                    • Successful, ratio: 1.2% (good quality ratio 0.7%)
                                    • Quality average: 44.3%
                                    • Quality standard deviation: 41%
                                    HCA Information:
                                    • Successful, ratio: 98%
                                    • Number of executed functions: 27
                                    • Number of non-executed functions: 2
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115, 204.79.197.222
                                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fp.msedge.net, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, a-0019.standard.a-msedge.net, store-images.s-microsoft.com-c.edgekey.net, 1.perf.msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                    • Execution Graph export aborted for target dhcpmon.exe, PID 5324 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    14:04:17API Interceptor1x Sleep call for process: ozT6Kif37P9Trrb.exe modified
                                    14:04:21API Interceptor31x Sleep call for process: powershell.exe modified
                                    14:04:28AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                    14:04:30Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" s>$(Arg0)
                                    14:04:32API Interceptor899x Sleep call for process: RegSvcs.exe modified
                                    14:04:33Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    103.153.78.234P0_00122.docGet hashmaliciousBrowse
                                      BmFKvDpmPT.exeGet hashmaliciousBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        obeyice4rm392.bounceme.netP0_00122.docGet hashmaliciousBrowse
                                        • 103.153.78.234
                                        BmFKvDpmPT.exeGet hashmaliciousBrowse
                                        • 103.153.78.234

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        TWIDC-AS-APTWIDCLimitedHKP0_00122.docGet hashmaliciousBrowse
                                        • 103.153.78.234
                                        BmFKvDpmPT.exeGet hashmaliciousBrowse
                                        • 103.153.78.234
                                        Proforma-Invoice.exeGet hashmaliciousBrowse
                                        • 103.153.214.97
                                        sGFWL8D5pGGet hashmaliciousBrowse
                                        • 103.155.240.60
                                        SCAN Contract-XMYK211011.xlsxGet hashmaliciousBrowse
                                        • 103.153.79.104
                                        WHI PYT 22.xlsxGet hashmaliciousBrowse
                                        • 103.153.79.104
                                        jerusalem.x86Get hashmaliciousBrowse
                                        • 103.153.4.228
                                        Payment_Confirmation_Lionbank.htmGet hashmaliciousBrowse
                                        • 103.153.182.185
                                        SecuriteInfo.com.Linux.Mirai.4291.17657.29192Get hashmaliciousBrowse
                                        • 103.157.75.17
                                        00B5C410D204D6A92F6636E23998777D2716E8928F96B.exeGet hashmaliciousBrowse
                                        • 103.155.92.143
                                        ACAs6Kprey.exeGet hashmaliciousBrowse
                                        • 103.155.92.143
                                        28043B9D96A6D54044950BCA23633AB601DCFDBE4305B.exeGet hashmaliciousBrowse
                                        • 103.155.92.143
                                        sora.armGet hashmaliciousBrowse
                                        • 103.155.240.58
                                        nUkbOfIFrC.exeGet hashmaliciousBrowse
                                        • 103.155.92.143
                                        DocumentIndex-1256412571-12232021.xlsbGet hashmaliciousBrowse
                                        • 103.155.93.23
                                        DocumentIndex-1256412571-12232021.xlsbGet hashmaliciousBrowse
                                        • 103.155.93.23
                                        eiqhremk1t.exeGet hashmaliciousBrowse
                                        • 103.155.92.143
                                        8TDgYQyI5F.exeGet hashmaliciousBrowse
                                        • 103.155.92.143
                                        TmLmHVz4jP.exeGet hashmaliciousBrowse
                                        • 103.155.92.143
                                        819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exeGet hashmaliciousBrowse
                                        • 103.155.92.143

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeTH02089Q0131106THBKK.exeGet hashmaliciousBrowse
                                          TT#U007e)9383763563783039847949N.cmd.exeGet hashmaliciousBrowse
                                            BmFKvDpmPT.exeGet hashmaliciousBrowse
                                              PAYMENT.exeGet hashmaliciousBrowse
                                                epda.exeGet hashmaliciousBrowse
                                                  SOA.exeGet hashmaliciousBrowse
                                                    payment.exeGet hashmaliciousBrowse
                                                      Munish Chaudhary - Procurement Division.exeGet hashmaliciousBrowse
                                                        2mG2ljUPxd4KpoZ.exeGet hashmaliciousBrowse
                                                          PAYMENT.exeGet hashmaliciousBrowse
                                                            purchase order.exeGet hashmaliciousBrowse
                                                              EPDA.exeGet hashmaliciousBrowse
                                                                DEBIT NOTE.exeGet hashmaliciousBrowse
                                                                  TT copy.exeGet hashmaliciousBrowse
                                                                    SWIFT COPY.exeGet hashmaliciousBrowse
                                                                      1IWndbhveHGz3CS.exeGet hashmaliciousBrowse
                                                                        HRjJlAKt8H.exeGet hashmaliciousBrowse
                                                                          SWIFT COPY.exeGet hashmaliciousBrowse
                                                                            TT copy U$ 66,024.26.exeGet hashmaliciousBrowse
                                                                              SWIFT COPY.exeGet hashmaliciousBrowse

                                                                                Created / dropped Files

                                                                                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):45152
                                                                                Entropy (8bit):6.149629800481177
                                                                                Encrypted:false
                                                                                SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Joe Sandbox View:
                                                                                • Filename: TH02089Q0131106THBKK.exe, Detection: malicious, Browse
                                                                                • Filename: TT#U007e)9383763563783039847949N.cmd.exe, Detection: malicious, Browse
                                                                                • Filename: BmFKvDpmPT.exe, Detection: malicious, Browse
                                                                                • Filename: PAYMENT.exe, Detection: malicious, Browse
                                                                                • Filename: epda.exe, Detection: malicious, Browse
                                                                                • Filename: SOA.exe, Detection: malicious, Browse
                                                                                • Filename: payment.exe, Detection: malicious, Browse
                                                                                • Filename: Munish Chaudhary - Procurement Division.exe, Detection: malicious, Browse
                                                                                • Filename: 2mG2ljUPxd4KpoZ.exe, Detection: malicious, Browse
                                                                                • Filename: PAYMENT.exe, Detection: malicious, Browse
                                                                                • Filename: purchase order.exe, Detection: malicious, Browse
                                                                                • Filename: EPDA.exe, Detection: malicious, Browse
                                                                                • Filename: DEBIT NOTE.exe, Detection: malicious, Browse
                                                                                • Filename: TT copy.exe, Detection: malicious, Browse
                                                                                • Filename: SWIFT COPY.exe, Detection: malicious, Browse
                                                                                • Filename: 1IWndbhveHGz3CS.exe, Detection: malicious, Browse
                                                                                • Filename: HRjJlAKt8H.exe, Detection: malicious, Browse
                                                                                • Filename: SWIFT COPY.exe, Detection: malicious, Browse
                                                                                • Filename: TT copy U$ 66,024.26.exe, Detection: malicious, Browse
                                                                                • Filename: SWIFT COPY.exe, Detection: malicious, Browse
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):142
                                                                                Entropy (8bit):5.090621108356562
                                                                                Encrypted:false
                                                                                SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                Malicious:false
                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):142
                                                                                Entropy (8bit):5.090621108356562
                                                                                Encrypted:false
                                                                                SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                Malicious:false
                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ozT6Kif37P9Trrb.exe.log
                                                                                Process:C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):1310
                                                                                Entropy (8bit):5.345651901398759
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                                                                MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                                                                SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                                                                SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                                                                SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                                                                Malicious:true
                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):22276
                                                                                Entropy (8bit):5.602982212251498
                                                                                Encrypted:false
                                                                                SSDEEP:384:WtCDLq0ct1C409bCluOMSBKnYjultI+H7Y9gtSJ3xeT1MaXZlbAV7S/WXl0ZBDIX:Wy4YoM4KYClthTtc8C+fw2dVM
                                                                                MD5:E48EE2F327D6D65807AC8D4E4FFDE94A
                                                                                SHA1:01B9235FBEFEC382A4F15D5F5F52AFBD087515B5
                                                                                SHA-256:6F50352062E59D9EF57C36395B4A70AE6C16CCB0E7288834E2D696F0B901E9F9
                                                                                SHA-512:790ACF09BA79DAC1107F7EA42CF274F1FFD06695D09632C0461E1EE5AFE2E5668CAC3A194AD376A802F7239D462017011C3A2F8A0DD86EC46ABA48078953BF4A
                                                                                Malicious:false
                                                                                Preview: @...e...........y.......h...M.D.A.....c...G..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxiz0fo4.txt.ps1
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview: 1
                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkw55tcl.b0c.psm1
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:very short file (no magic)
                                                                                Category:dropped
                                                                                Size (bytes):1
                                                                                Entropy (8bit):0.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:U:U
                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                Malicious:false
                                                                                Preview: 1
                                                                                C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp
                                                                                Process:C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe
                                                                                File Type:XML 1.0 document, ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):1597
                                                                                Entropy (8bit):5.132922205599041
                                                                                Encrypted:false
                                                                                SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaqxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTLv
                                                                                MD5:1A4C3C0E87FFF635CEE22780816C7938
                                                                                SHA1:A6EFD35A27CF4ED80F159EE5D03B19F329AAAE14
                                                                                SHA-256:DB8510C86B8908ACF4A931082ADB39F850141E71EE90FD34E2607C5ACA8749B9
                                                                                SHA-512:641D68C02E56A2EF750DA17F7B01268B2A20D9FB583C2375CFDD939B6A2BDFB74D392E4A50C05374ABB103B719204E3809B5BBC90B694B0CA78227E8DA31B107
                                                                                Malicious:true
                                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                                                                C:\Users\user\AppData\Local\Temp\tmp732D.tmp
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1320
                                                                                Entropy (8bit):5.135668813522653
                                                                                Encrypted:false
                                                                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mXxtn:cbk4oL600QydbQxIYODOLedq3ZXj
                                                                                MD5:8CAD1B41587CED0F1E74396794F31D58
                                                                                SHA1:11054BF74FCF5E8E412768035E4DAE43AA7B710F
                                                                                SHA-256:3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
                                                                                SHA-512:99C2EF89029DE51A866DF932841684B7FC912DF21E10E2DD0D09E400203BBDC6CBA6319A31780B7BF8B286D2CEA8EA3FC7D084348BF2F002AB4F5A34218CCBEF
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                C:\Users\user\AppData\Local\Temp\tmp7AFE.tmp
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1310
                                                                                Entropy (8bit):5.109425792877704
                                                                                Encrypted:false
                                                                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                                MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                                SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                                SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                                SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                                Malicious:false
                                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):232
                                                                                Entropy (8bit):7.024371743172393
                                                                                Encrypted:false
                                                                                SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                                                MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                                                SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                                                SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                                                SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                                                Malicious:false
                                                                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                File Type:Non-ISO extended-ASCII text, with NEL line terminators
                                                                                Category:dropped
                                                                                Size (bytes):8
                                                                                Entropy (8bit):3.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:5J:5J
                                                                                MD5:31921F42DD1487F93B67C5642C1D0A6E
                                                                                SHA1:2464C7570EAF9F049929E0D550381D8FCA678996
                                                                                SHA-256:78EA0D76D709074FB94BF5046B858EAA3382C161738BC13B06915B1BFDF52E98
                                                                                SHA-512:1309E6986901275B110AEA7DCA2779B1DEFA32B73CF3EDF20434598522A8DD8CE96B7407FEF98E831CFFDC266A624AC86A435A5E5B93D4770C4F6272EC28B61C
                                                                                Malicious:true
                                                                                Preview: ..Le^..H
                                                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):24
                                                                                Entropy (8bit):4.584962500721156
                                                                                Encrypted:false
                                                                                SSDEEP:3:9bzY6oRDJoTBn:RzWDqTB
                                                                                MD5:3FCC766D28BFD974C68B38C27D0D7A9A
                                                                                SHA1:45ED19A78D9B79E46EDBFC3E3CA58E90423A676B
                                                                                SHA-256:39A25F1AB5099005A74CF04F3C61C3253CD9BDA73B85228B58B45AAA4E838641
                                                                                SHA-512:C7D47BDAABEEBB8C9D9B31CC4CE968EAF291771762FA022A2F55F9BA4838E71FDBD3F83792709E47509C5D94629D6D274CC933371DC01560D13016D944012DA5
                                                                                Malicious:false
                                                                                Preview: 9iH...}Z.4..f.....l.d
                                                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):40
                                                                                Entropy (8bit):5.221928094887364
                                                                                Encrypted:false
                                                                                SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
                                                                                MD5:AE0F5E6CE7122AF264EC533C6B15A27B
                                                                                SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
                                                                                SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
                                                                                SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
                                                                                Malicious:false
                                                                                Preview: 9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
                                                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):327432
                                                                                Entropy (8bit):7.99938831605763
                                                                                Encrypted:true
                                                                                SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                                MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                                SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                                SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                                SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                                Malicious:false
                                                                                Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):57
                                                                                Entropy (8bit):4.830795005765378
                                                                                Encrypted:false
                                                                                SSDEEP:3:oMty8WddSWA1KMNn:oMLW6WA1j
                                                                                MD5:08E799E8E9B4FDA648F2500A40A11933
                                                                                SHA1:AC76B5E20DED247803448A2F586731ED7D84B9F3
                                                                                SHA-256:D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
                                                                                SHA-512:5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
                                                                                Malicious:false
                                                                                Preview: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                C:\Users\user\AppData\Roaming\cVaRnofAle.exe
                                                                                Process:C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):574464
                                                                                Entropy (8bit):7.193549008260358
                                                                                Encrypted:false
                                                                                SSDEEP:12288:DK777777777777N7lPB33pnS8tMtoOLHJfCJKlxqoYQ:DK777777777777llxpS8tMtA8lxqo9
                                                                                MD5:0E66D7D3CEA736262AE210AAAA00EEB5
                                                                                SHA1:94393BB0AD4EEB3F818E34F57395642920920BB8
                                                                                SHA-256:52C280A9E1DF79B39D176D673EBDA000C46D89EAB1477EAE5B1A62F4AB8373BB
                                                                                SHA-512:1374F58FFF67ABEF6C7F36BC023FC5BB7F19DE5DAE5C4D59601E31BA583BE99DEEFC6846100F2DE9283B002138C7D3C38C11CDA30BDF6F7653DA7E81BB108E67
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7.a............................~.... ........@.. ....................... ............@.................................0...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H.......,f..........E...4....D............................................{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*.....{....*"..}....*....0.......... ....(....95...&..(..... ........8.....(..........8.... ............E............P...............p...............P.......................c... ........8.....9....r...p.(..... ........8....8;...r...p.(...... ....(....:h...&8....rK..p.(...... ........8C...8....ry..p.(...... ....8+...8....r...p.. ..
                                                                                C:\Users\user\AppData\Roaming\cVaRnofAle.exe:Zone.Identifier
                                                                                Process:C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:true
                                                                                Preview: [ZoneTransfer]....ZoneId=0
                                                                                C:\Users\user\Documents\20220114\PowerShell_transcript.639509.GGL+h8F7.20220114140420.txt
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):5789
                                                                                Entropy (8bit):5.382988567412468
                                                                                Encrypted:false
                                                                                SSDEEP:96:BZgj8NQqDo1ZJZBj8NQqDo1Z7uw2jZIj8NQqDo1Z4bGG6Zd:u
                                                                                MD5:FE5FA47B5771CF56B743936E557D1CF5
                                                                                SHA1:1A9168837DC0D321A9D116DF31CE1586C30346B8
                                                                                SHA-256:C432267A4AC9B2328DACFB5CBCB983D2DA8D14529A27F2204E678BBEF89B7D64
                                                                                SHA-512:8E9A920A0686A561CCEE9552D7E1D21B9BB22D9BEFF29B8CA068E75A3301C36193B88DD009600D28B3F6A35D91F8518AFFDC18C38BA93FDE9D9E786A39366AC7
                                                                                Malicious:false
                                                                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20220114140421..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 639509 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\cVaRnofAle.exe..Process ID: 5996..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220114140421..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\cVaRnofAle.exe..**********************..Windows PowerShell transcript start..Start time: 20220114140802..Username: computer\user..RunAs User: computer\jone
                                                                                \Device\ConDrv
                                                                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1141
                                                                                Entropy (8bit):4.44831826838854
                                                                                Encrypted:false
                                                                                SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                Malicious:false
                                                                                Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):7.193549008260358
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                File name:ozT6Kif37P9Trrb.exe
                                                                                File size:574464
                                                                                MD5:0e66d7d3cea736262ae210aaaa00eeb5
                                                                                SHA1:94393bb0ad4eeb3f818e34f57395642920920bb8
                                                                                SHA256:52c280a9e1df79b39d176d673ebda000c46d89eab1477eae5b1a62f4ab8373bb
                                                                                SHA512:1374f58fff67abef6c7f36bc023fc5bb7f19de5dae5c4d59601e31ba583be99deefc6846100f2de9283b002138c7d3c38c11cda30bdf6f7653da7e81bb108e67
                                                                                SSDEEP:12288:DK777777777777N7lPB33pnS8tMtoOLHJfCJKlxqoYQ:DK777777777777llxpS8tMtA8lxqo9
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7.a............................~.... ........@.. ....................... ............@................................

                                                                                File Icon

                                                                                Icon Hash:00828e8e8686b000

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x48d97e
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                Time Stamp:0x61E13702 [Fri Jan 14 08:40:34 2022 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:v4.0.30319
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8d9300x4b.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x5dc.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x900000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8e10x1c.text
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x8b9840x8ba00False0.748704327999data7.20366769092IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x8e0000x5dc0x600False0.438151041667data4.16155684526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x900000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_VERSION0x8e0a00x34edata
                                                                                RT_MANIFEST0x8e3f00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Version Infos

                                                                                DescriptionData
                                                                                Translation0x0000 0x04b0
                                                                                LegalCopyright2022 Tradewell
                                                                                Assembly Version22.0.0.0
                                                                                InternalNamePrincipalPoli.exe
                                                                                FileVersion1.1.0.0
                                                                                CompanyNameTradewell ltd
                                                                                LegalTrademarks
                                                                                CommentsPurple Org
                                                                                ProductNameBlaster
                                                                                ProductVersion1.1.0.0
                                                                                FileDescriptionBlaster
                                                                                OriginalFilenamePrincipalPoli.exe

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                01/14/22-14:04:33.519999TCP2025019ET TROJAN Possible NanoCore C2 60B497668951192.168.2.4103.153.78.234
                                                                                01/14/22-14:04:39.857137UDP254DNS SPOOF query response with TTL of 1 min. and no authority53580288.8.8.8192.168.2.4
                                                                                01/14/22-14:04:40.083111TCP2025019ET TROJAN Possible NanoCore C2 60B497698951192.168.2.4103.153.78.234
                                                                                01/14/22-14:04:47.447207TCP2025019ET TROJAN Possible NanoCore C2 60B497708951192.168.2.4103.153.78.234
                                                                                01/14/22-14:04:53.578748TCP2025019ET TROJAN Possible NanoCore C2 60B497718951192.168.2.4103.153.78.234
                                                                                01/14/22-14:05:01.026500UDP254DNS SPOOF query response with TTL of 1 min. and no authority53623898.8.8.8192.168.2.4
                                                                                01/14/22-14:05:01.289314TCP2025019ET TROJAN Possible NanoCore C2 60B497728951192.168.2.4103.153.78.234
                                                                                01/14/22-14:05:08.133013TCP2025019ET TROJAN Possible NanoCore C2 60B498018951192.168.2.4103.153.78.234
                                                                                01/14/22-14:05:15.199190TCP2025019ET TROJAN Possible NanoCore C2 60B498088951192.168.2.4103.153.78.234
                                                                                01/14/22-14:05:22.189784TCP2025019ET TROJAN Possible NanoCore C2 60B498148951192.168.2.4103.153.78.234
                                                                                01/14/22-14:05:29.062611UDP254DNS SPOOF query response with TTL of 1 min. and no authority53640788.8.8.8192.168.2.4
                                                                                01/14/22-14:05:29.285444TCP2025019ET TROJAN Possible NanoCore C2 60B498168951192.168.2.4103.153.78.234
                                                                                01/14/22-14:05:36.103156UDP254DNS SPOOF query response with TTL of 1 min. and no authority53648018.8.8.8192.168.2.4
                                                                                01/14/22-14:05:36.332449TCP2025019ET TROJAN Possible NanoCore C2 60B498398951192.168.2.4103.153.78.234
                                                                                01/14/22-14:05:43.488065TCP2025019ET TROJAN Possible NanoCore C2 60B498408951192.168.2.4103.153.78.234
                                                                                01/14/22-14:05:50.216788TCP2025019ET TROJAN Possible NanoCore C2 60B498428951192.168.2.4103.153.78.234
                                                                                01/14/22-14:05:56.127723UDP254DNS SPOOF query response with TTL of 1 min. and no authority53550468.8.8.8192.168.2.4
                                                                                01/14/22-14:05:56.351918TCP2025019ET TROJAN Possible NanoCore C2 60B498468951192.168.2.4103.153.78.234
                                                                                01/14/22-14:06:03.539133TCP2025019ET TROJAN Possible NanoCore C2 60B498478951192.168.2.4103.153.78.234
                                                                                01/14/22-14:06:10.732002TCP2025019ET TROJAN Possible NanoCore C2 60B498488951192.168.2.4103.153.78.234
                                                                                01/14/22-14:06:17.566202UDP254DNS SPOOF query response with TTL of 1 min. and no authority53506018.8.8.8192.168.2.4
                                                                                01/14/22-14:06:17.790054TCP2025019ET TROJAN Possible NanoCore C2 60B498498951192.168.2.4103.153.78.234

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jan 14, 2022 14:04:33.227729082 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:33.452159882 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:33.452919960 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:33.519999027 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:33.759257078 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:33.759376049 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:34.035556078 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:34.035623074 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:34.258569956 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:34.312875986 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:34.644413948 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:34.919837952 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:34.920998096 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.185039043 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.197146893 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.197293997 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.197367907 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.197539091 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.197642088 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.197702885 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.419930935 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.420197964 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.420269012 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.420500040 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.420526028 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.420583010 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.420644999 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.420736074 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.420777082 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.420896053 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.421016932 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.421066046 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.643018007 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643042088 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643058062 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643074036 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643094063 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643116951 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643134117 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.643138885 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643162012 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643172026 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.643183947 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643205881 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643227100 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643229961 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.643251896 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643271923 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.643274069 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643295050 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.643297911 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643320084 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643342018 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.643356085 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.643395901 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.659044027 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.865747929 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.865814924 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.865883112 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.865897894 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.865930080 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.865955114 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866004944 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866004944 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866041899 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866056919 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866064072 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866113901 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866163969 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866173029 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866214991 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866275072 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866276979 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866292953 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866332054 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866343021 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866384983 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866394043 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866436005 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866437912 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866489887 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866504908 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866539955 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866549015 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866591930 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866594076 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866643906 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866650105 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866694927 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866703033 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866745949 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866751909 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866797924 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866799116 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866848946 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866852999 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866900921 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.866904020 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866950989 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.866952896 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.867007017 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.867007971 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.867064953 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.867089987 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.867141962 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.867149115 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.867191076 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.867197990 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.867250919 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.867254972 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.867300034 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.867305040 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.867351055 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.867352009 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.867403984 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.867446899 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.867455006 CET895149766103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:35.867469072 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:35.867630005 CET497668951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:39.859729052 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:40.082247019 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:40.082329035 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:40.083111048 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:40.324418068 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:40.324901104 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:40.548094988 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:40.594650984 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:40.642699957 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:40.919524908 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:40.919667959 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.193181038 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.193573952 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.193625927 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.193871021 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.194176912 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.194235086 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.416740894 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.416812897 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.416883945 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.417428970 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.417474031 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.417543888 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.417706966 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.417882919 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.417933941 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.418134928 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.418436050 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.418494940 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.640535116 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640587091 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640626907 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640636921 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.640667915 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640707016 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640707970 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.640744925 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640785933 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640786886 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.640835047 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640891075 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640930891 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640960932 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.640999079 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.641037941 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.641077042 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.641117096 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.641154051 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.641346931 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.641355991 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.863704920 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.863760948 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.863801956 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.863843918 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.863863945 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.863895893 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.863907099 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.863939047 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.863976002 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.863981009 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864015102 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864053965 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864054918 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864090919 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864130020 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864130974 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864171982 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864211082 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864212036 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864253044 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864291906 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864299059 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864332914 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864372969 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864376068 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864411116 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864449978 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864449978 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864490986 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864531040 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864533901 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864571095 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864608049 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864613056 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864648104 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864686966 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864686966 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864723921 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864762068 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864765882 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864799976 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864839077 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864840031 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.864878893 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:41.864918947 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:41.994579077 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086467028 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086515903 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086550951 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086574078 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086590052 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086596966 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086626053 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086642981 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086663961 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086663961 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086699009 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086738110 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086745024 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086781979 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086812973 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086822987 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086843014 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086850882 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086870909 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086879969 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086898088 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086910009 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086926937 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086935043 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.086955070 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086982012 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.086994886 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087011099 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087023020 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087038040 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087055922 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087068081 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087073088 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087095976 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087121010 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087133884 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087148905 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087161064 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087174892 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087194920 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087202072 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087213993 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087232113 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087259054 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087285995 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087296963 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087313890 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087322950 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087342024 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087368011 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087378025 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087397099 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087430000 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087431908 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087445974 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087459087 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087467909 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087492943 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087507963 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087521076 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087532043 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087551117 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087558985 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087578058 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087605953 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087616920 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087634087 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087641954 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087661028 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087673903 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087688923 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087692022 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087717056 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087743998 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087754965 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087770939 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087780952 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087798119 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087810040 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087826967 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087838888 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087855101 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087866068 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.087882042 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.087923050 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.273345947 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.309643984 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.309701920 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.309741974 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.309756041 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.309784889 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.309822083 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.309824944 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.309895992 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.309937954 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.309976101 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.309977055 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310019970 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310060978 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310061932 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310105085 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310143948 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310146093 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310185909 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310225964 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310225964 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310267925 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310303926 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310305119 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310345888 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310380936 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310384989 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310425997 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310461998 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310465097 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310503960 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310539007 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310543060 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310584068 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310617924 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310620070 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310659885 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310697079 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310698032 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310738087 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310771942 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310775995 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310815096 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310848951 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310853004 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310890913 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310925007 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.310928106 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.310966969 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311002016 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.311003923 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311043978 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311078072 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.311083078 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311120033 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311155081 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.311160088 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311198950 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311233997 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.311234951 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311274052 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311307907 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.311311007 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311352015 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311391115 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311395884 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.311439991 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311479092 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.311495066 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311553001 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311589003 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.311613083 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.311676025 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.533600092 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533649921 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533683062 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533715963 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533744097 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.533747911 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533766985 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.533782959 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533818007 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533864975 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.533866882 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533900023 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533935070 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533941031 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.533967972 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.533987045 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534001112 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534030914 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534044981 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534063101 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534099102 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534117937 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534128904 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534161091 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534177065 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534192085 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534225941 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534226894 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534260988 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534293890 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534296036 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534332991 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534367085 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534380913 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534400940 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534435034 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534450054 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534470081 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534501076 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534528017 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534537077 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534574032 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534585953 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534610033 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534641981 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534653902 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534677029 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534710884 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534725904 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534744024 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534774065 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534782887 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534806967 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534841061 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534842014 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534872055 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534903049 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534931898 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534956932 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534962893 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.534971952 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.534995079 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.535023928 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.535054922 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.535060883 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.535084963 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.535092115 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.535123110 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.535152912 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.535182953 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.535192013 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.535216093 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.757065058 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757133007 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757185936 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757237911 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757246971 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.757291079 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757292986 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.757344007 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757395983 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757446051 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757447958 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.757498026 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757548094 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.757550001 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757592916 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.757601023 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757653952 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757703066 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.757704973 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757756948 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757805109 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.757814884 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757932901 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757982969 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.757988930 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.758033991 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.758081913 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.766127110 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766191959 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766242981 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766267061 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.766294956 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766347885 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766360044 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.766401052 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766448021 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.766452074 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766505003 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766551018 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.766557932 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766609907 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766660929 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766678095 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.766710997 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766762018 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766810894 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766813993 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.766860962 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766911983 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.766912937 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.766963959 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767009020 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.767015934 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767065048 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767107010 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.767115116 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767164946 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767208099 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.767215014 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767266035 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767311096 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.767317057 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767368078 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767416000 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.767419100 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767472029 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767524004 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767529964 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.767575979 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767632961 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.767637968 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767688990 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767739058 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767748117 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.767791033 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767836094 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.767842054 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767890930 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767935038 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.767942905 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.767997026 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768045902 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768045902 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.768096924 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768142939 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.768147945 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768201113 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768250942 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.768253088 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768304110 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768352032 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.768352985 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768409014 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768457890 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.768459082 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768511057 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.768558979 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:42.768562078 CET895149769103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:42.769649029 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:43.133490086 CET497698951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:47.225512028 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:47.445619106 CET895149770103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:47.445828915 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:47.447206974 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:47.673571110 CET895149770103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:47.675538063 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:47.895411015 CET895149770103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:47.939030886 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:48.328037024 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:48.598021030 CET895149770103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:48.600214958 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:48.660713911 CET895149770103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:48.704714060 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:48.821995020 CET895149770103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:48.876606941 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:48.996793032 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:49.267743111 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:49.270414114 CET895149770103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:49.270523071 CET497708951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:53.360523939 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:53.578185081 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:53.578279018 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:53.578747988 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:53.802639008 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:53.820707083 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:54.038487911 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:54.080178976 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:54.221388102 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:54.494153976 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:54.497198105 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:54.557373047 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:54.611582041 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:54.715315104 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:54.715562105 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:54.994154930 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:54.994260073 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:55.213226080 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:55.213355064 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:55.431937933 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:55.432013035 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:55.704812050 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:55.704947948 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:04:55.986140013 CET895149771103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:04:56.895148039 CET497718951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:01.029090881 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:01.258037090 CET895149772103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:01.258178949 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:01.289314032 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:01.526289940 CET895149772103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:01.541105032 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:01.771738052 CET895149772103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:01.771944046 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:02.053148985 CET895149772103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:02.053910971 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:02.335426092 CET895149772103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:02.398721933 CET895149772103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:02.399610996 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:02.629509926 CET895149772103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:02.635163069 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:02.864880085 CET895149772103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:02.867501020 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:03.097543955 CET895149772103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:03.284127951 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:03.644174099 CET497728951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:07.820710897 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:08.038381100 CET895149801103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:08.039879084 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:08.133013010 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:08.355289936 CET895149801103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:08.389354944 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:08.607836008 CET895149801103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:08.659545898 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:08.708606005 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:08.986567974 CET895149801103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:08.986661911 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:09.267476082 CET895149801103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:09.315931082 CET895149801103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:09.316751003 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:09.534363031 CET895149801103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:09.535852909 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:09.754251957 CET895149801103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:09.754336119 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:09.973082066 CET895149801103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:10.019001007 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:10.769912958 CET498018951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:14.949363947 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:15.178430080 CET895149808103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:15.178519964 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:15.199189901 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:15.433811903 CET895149808103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:15.478957891 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:15.708416939 CET895149808103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:15.753869057 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:15.801485062 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:16.087765932 CET895149808103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:16.801527023 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:17.082353115 CET895149808103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:17.082480907 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:17.361702919 CET895149808103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:17.416281939 CET895149808103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:17.457137108 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:17.471468925 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:17.685957909 CET895149808103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:17.754028082 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:17.762824059 CET895149808103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:17.819264889 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:17.847984076 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:18.049500942 CET895149808103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:18.049565077 CET498088951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:21.968605995 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:22.187180042 CET895149814103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:22.189729929 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:22.189784050 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:22.416620016 CET895149814103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:22.417077065 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:22.635042906 CET895149814103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:22.676311016 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:22.865777969 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:23.146974087 CET895149814103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:23.708837032 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:23.981920958 CET895149814103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:23.985213041 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:24.050288916 CET895149814103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:24.098311901 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:24.204181910 CET895149814103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:24.205188036 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:24.479698896 CET895149814103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:24.479859114 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:24.697530031 CET895149814103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:24.697861910 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:24.911365986 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:24.916960955 CET895149814103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:24.917061090 CET498148951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:29.065942049 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:29.284563065 CET895149816103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:29.284748077 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:29.285444021 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:29.509047985 CET895149816103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:29.517621994 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:30.051953077 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:30.314646006 CET895149816103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:30.335944891 CET895149816103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:30.380098104 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:30.550570965 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:30.813811064 CET895149816103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:30.892851114 CET895149816103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:30.897109985 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:31.116380930 CET895149816103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:31.116471052 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:31.389163017 CET895149816103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:31.389249086 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:31.654134989 CET895149816103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:31.708334923 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:31.912179947 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:31.928186893 CET895149816103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:31.931195974 CET498168951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:36.104526997 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:36.331026077 CET895149839103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:36.331118107 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:36.332448959 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:36.563642979 CET895149839103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:36.565291882 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:36.791712046 CET895149839103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:36.833741903 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:36.922287941 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:37.203022957 CET895149839103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:37.203135014 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:37.484633923 CET895149839103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:37.548616886 CET895149839103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:37.599498034 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:37.603214025 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:37.825887918 CET895149839103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:37.880712986 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:37.888112068 CET895149839103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:37.898765087 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:38.125266075 CET895149839103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:38.125400066 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:38.351609945 CET895149839103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:38.396542072 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:38.946358919 CET498398951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:43.257241964 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:43.485718012 CET895149840103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:43.487437010 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:43.488065004 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:43.721595049 CET895149840103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:43.741092920 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:43.970324993 CET895149840103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:43.970979929 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:44.249798059 CET895149840103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:44.249955893 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:44.538106918 CET895149840103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:44.602094889 CET895149840103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:44.602956057 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:44.832617044 CET895149840103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:44.833502054 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:45.064141989 CET895149840103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:45.064235926 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:45.294456959 CET895149840103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:45.334456921 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:45.913203955 CET498408951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:49.995709896 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:50.216017008 CET895149842103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:50.216161013 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:50.216788054 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:50.440413952 CET895149842103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:50.441188097 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:50.661564112 CET895149842103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:50.710028887 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:51.037894964 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:51.314774036 CET895149842103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:51.314929962 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:51.378339052 CET895149842103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:51.428792000 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:51.534128904 CET895149842103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:51.534569025 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:51.814044952 CET895149842103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:51.814186096 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:52.033981085 CET895149842103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:52.054864883 CET498428951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:56.129914045 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:56.349802017 CET895149846103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:56.350044012 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:56.351917982 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:56.577805996 CET895149846103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:56.578313112 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:56.798302889 CET895149846103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:56.851247072 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:57.037363052 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:57.304358959 CET895149846103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:57.307638884 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:57.367770910 CET895149846103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:57.413664103 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:57.527453899 CET895149846103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:57.527757883 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:57.804073095 CET895149846103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:57.804523945 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:58.025099039 CET895149846103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:58.055885077 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:58.275629997 CET895149846103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:05:58.320127010 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:05:59.120086908 CET498468951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:03.199270964 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:03.423331022 CET895149847103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:03.427263975 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:03.539133072 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:03.768822908 CET895149847103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:03.773138046 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:03.996968985 CET895149847103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:04.039146900 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:04.180541039 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:04.464368105 CET895149847103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:04.464518070 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:04.527061939 CET895149847103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:04.586081028 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:04.688817978 CET895149847103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:04.688926935 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:04.966907024 CET895149847103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:04.966996908 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:05.192118883 CET895149847103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:05.242417097 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:05.466079950 CET895149847103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:05.480274916 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:05.755738974 CET895149847103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:06.415527105 CET498478951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:10.501519918 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:10.720941067 CET895149848103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:10.721029043 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:10.732002020 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:10.956691980 CET895149848103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:10.957099915 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:11.176831961 CET895149848103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:11.227354050 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:11.354526043 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:11.632865906 CET895149848103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:11.633337975 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:11.696394920 CET895149848103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:11.742894888 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:11.852638006 CET895149848103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:11.852729082 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:12.138448000 CET895149848103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:12.139564037 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:12.359603882 CET895149848103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:12.415019989 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:12.525134087 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:12.634052038 CET895149848103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:12.680533886 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:12.794015884 CET895149848103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:13.525012016 CET498488951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:17.567085028 CET498498951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:17.789588928 CET895149849103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:17.789742947 CET498498951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:17.790054083 CET498498951192.168.2.4103.153.78.234
                                                                                Jan 14, 2022 14:06:18.019937038 CET895149849103.153.78.234192.168.2.4
                                                                                Jan 14, 2022 14:06:18.020160913 CET498498951192.168.2.4103.153.78.234

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jan 14, 2022 14:04:33.198506117 CET5453153192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:04:33.217678070 CET53545318.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:04:39.836319923 CET5802853192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:04:39.857136965 CET53580288.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:04:47.203134060 CET5309753192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:04:47.222959042 CET53530978.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:04:53.339858055 CET4925753192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:04:53.359272957 CET53492578.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:05:01.007414103 CET6238953192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:05:01.026499987 CET53623898.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:05:07.799204111 CET5653453192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:05:07.818840027 CET53565348.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:05:14.924850941 CET5662753192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:05:14.944628954 CET53566278.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:05:21.889419079 CET6311653192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:05:21.908710957 CET53631168.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:05:29.041874886 CET6407853192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:05:29.062611103 CET53640788.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:05:36.082171917 CET6480153192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:05:36.103156090 CET53648018.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:05:43.235847950 CET6172153192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:05:43.253010988 CET53617218.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:05:49.950761080 CET6152253192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:05:49.970071077 CET53615228.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:05:56.106615067 CET5504653192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:05:56.127722979 CET53550468.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:06:03.177102089 CET4961253192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:06:03.197158098 CET53496128.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:06:10.481276035 CET4928553192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:06:10.500468969 CET53492858.8.8.8192.168.2.4
                                                                                Jan 14, 2022 14:06:17.541971922 CET5060153192.168.2.48.8.8.8
                                                                                Jan 14, 2022 14:06:17.566201925 CET53506018.8.8.8192.168.2.4

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Jan 14, 2022 14:04:33.198506117 CET192.168.2.48.8.8.80x9b6cStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:04:39.836319923 CET192.168.2.48.8.8.80xe8cbStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:04:47.203134060 CET192.168.2.48.8.8.80x9594Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:04:53.339858055 CET192.168.2.48.8.8.80xfaeStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:01.007414103 CET192.168.2.48.8.8.80xf16dStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:07.799204111 CET192.168.2.48.8.8.80x2784Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:14.924850941 CET192.168.2.48.8.8.80xb8fcStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:21.889419079 CET192.168.2.48.8.8.80x7d29Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:29.041874886 CET192.168.2.48.8.8.80xd4ffStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:36.082171917 CET192.168.2.48.8.8.80x4b58Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:43.235847950 CET192.168.2.48.8.8.80x1a5dStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:49.950761080 CET192.168.2.48.8.8.80xd9bcStandard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:56.106615067 CET192.168.2.48.8.8.80x7c2Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:06:03.177102089 CET192.168.2.48.8.8.80x9eb1Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:06:10.481276035 CET192.168.2.48.8.8.80x96f2Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:06:17.541971922 CET192.168.2.48.8.8.80xf173Standard query (0)obeyice4rm392.bounceme.netA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Jan 14, 2022 14:04:23.938669920 CET8.8.8.8192.168.2.40x52b2No error (0)a-0019.a.dns.azurefd.neta-0019.standard.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                Jan 14, 2022 14:04:33.217678070 CET8.8.8.8192.168.2.40x9b6cNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:04:39.857136965 CET8.8.8.8192.168.2.40xe8cbNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:04:47.222959042 CET8.8.8.8192.168.2.40x9594No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:04:53.359272957 CET8.8.8.8192.168.2.40xfaeNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:01.026499987 CET8.8.8.8192.168.2.40xf16dNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:07.818840027 CET8.8.8.8192.168.2.40x2784No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:14.944628954 CET8.8.8.8192.168.2.40xb8fcNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:21.908710957 CET8.8.8.8192.168.2.40x7d29No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:29.062611103 CET8.8.8.8192.168.2.40xd4ffNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:36.103156090 CET8.8.8.8192.168.2.40x4b58No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:43.253010988 CET8.8.8.8192.168.2.40x1a5dNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:49.970071077 CET8.8.8.8192.168.2.40xd9bcNo error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:05:56.127722979 CET8.8.8.8192.168.2.40x7c2No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:06:03.197158098 CET8.8.8.8192.168.2.40x9eb1No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:06:10.500468969 CET8.8.8.8192.168.2.40x96f2No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)
                                                                                Jan 14, 2022 14:06:17.566201925 CET8.8.8.8192.168.2.40xf173No error (0)obeyice4rm392.bounceme.net103.153.78.234A (IP address)IN (0x0001)

                                                                                Code Manipulations

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: ozT6Kif37P9Trrb.exe PID: 7104 Parent PID: 6100

                                                                                General

                                                                                Start time:14:04:08
                                                                                Start date:14/01/2022
                                                                                Path:C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\ozT6Kif37P9Trrb.exe"
                                                                                Imagebase:0xad0000
                                                                                File size:574464 bytes
                                                                                MD5 hash:0E66D7D3CEA736262AE210AAAA00EEB5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.702896549.000000000302A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.702652436.0000000002F01000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.703144775.0000000003F09000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                Reputation:low

                                                                                Chronological Activities

                                                                                Analysis Process: powershell.exe PID: 5996 Parent PID: 7104

                                                                                General

                                                                                Start time:14:04:19
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cVaRnofAle.exe
                                                                                Imagebase:0x9e0000
                                                                                File size:430592 bytes
                                                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: conhost.exe PID: 588 Parent PID: 5996

                                                                                General

                                                                                Start time:14:04:19
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff724c50000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: schtasks.exe PID: 5528 Parent PID: 7104

                                                                                General

                                                                                Start time:14:04:19
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cVaRnofAle" /XML "C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp
                                                                                Imagebase:0x340000
                                                                                File size:185856 bytes
                                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: conhost.exe PID: 6688 Parent PID: 5528

                                                                                General

                                                                                Start time:14:04:20
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff724c50000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: RegSvcs.exe PID: 1852 Parent PID: 7104

                                                                                General

                                                                                Start time:14:04:21
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                Imagebase:0x7c0000
                                                                                File size:45152 bytes
                                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.700618327.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.697528338.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.700953078.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.695887230.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: schtasks.exe PID: 6780 Parent PID: 1852

                                                                                General

                                                                                Start time:14:04:28
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp732D.tmp
                                                                                Imagebase:0x340000
                                                                                File size:185856 bytes
                                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: conhost.exe PID: 6820 Parent PID: 6780

                                                                                General

                                                                                Start time:14:04:29
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff724c50000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: schtasks.exe PID: 6928 Parent PID: 1852

                                                                                General

                                                                                Start time:14:04:30
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp7AFE.tmp
                                                                                Imagebase:0x340000
                                                                                File size:185856 bytes
                                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: RegSvcs.exe PID: 6852 Parent PID: 968

                                                                                General

                                                                                Start time:14:04:31
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
                                                                                Imagebase:0x960000
                                                                                File size:45152 bytes
                                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: conhost.exe PID: 6932 Parent PID: 6928

                                                                                General

                                                                                Start time:14:04:31
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff724c50000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Chronological Activities

                                                                                Analysis Process: conhost.exe PID: 6940 Parent PID: 6852

                                                                                General

                                                                                Start time:14:04:31
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff724c50000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Chronological Activities

                                                                                Analysis Process: dhcpmon.exe PID: 5048 Parent PID: 968

                                                                                General

                                                                                Start time:14:04:33
                                                                                Start date:14/01/2022
                                                                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                                                                                Imagebase:0x6c0000
                                                                                File size:45152 bytes
                                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Antivirus matches:
                                                                                • Detection: 0%, Metadefender, Browse
                                                                                • Detection: 0%, ReversingLabs

                                                                                Chronological Activities

                                                                                Analysis Process: conhost.exe PID: 7160 Parent PID: 5048

                                                                                General

                                                                                Start time:14:04:33
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff724c50000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Chronological Activities

                                                                                Analysis Process: dhcpmon.exe PID: 5324 Parent PID: 3424

                                                                                General

                                                                                Start time:14:04:36
                                                                                Start date:14/01/2022
                                                                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                                                                Imagebase:0x470000
                                                                                File size:45152 bytes
                                                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET

                                                                                Chronological Activities

                                                                                Analysis Process: conhost.exe PID: 5416 Parent PID: 5324

                                                                                General

                                                                                Start time:14:04:37
                                                                                Start date:14/01/2022
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff724c50000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language

                                                                                Chronological Activities

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >

                                                                                  Analysis Process: ozT6Kif37P9Trrb.exe PID: 7104 Parent PID: 6100 ozT6Kif37P9Trrb.exeCOMMON

                                                                                  Execution Graph

                                                                                  Execution Coverage:18.4%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:148
                                                                                  Total number of Limit Nodes:4

                                                                                  Graph

                                                                                  execution_graph 6434 90db998 6435 90dbb23 6434->6435 6436 90db9be 6434->6436 6436->6435 6439 90dbc18 PostMessageW 6436->6439 6441 90dbc12 6436->6441 6440 90dbc84 6439->6440 6440->6436 6442 90dbc18 PostMessageW 6441->6442 6443 90dbc84 6442->6443 6443->6436 6444 90d7bd0 6445 90d7bf2 6444->6445 6446 90d8025 6445->6446 6449 90da448 6445->6449 6454 90da439 6445->6454 6450 90da462 6449->6450 6459 90da4a8 6450->6459 6464 90da497 6450->6464 6451 90da490 6451->6445 6455 90da448 6454->6455 6457 90da4a8 12 API calls 6455->6457 6458 90da497 12 API calls 6455->6458 6456 90da490 6456->6445 6457->6456 6458->6456 6460 90da4c5 6459->6460 6469 90da948 6460->6469 6485 90da958 6460->6485 6461 90da505 6461->6451 6465 90da4a8 6464->6465 6467 90da948 12 API calls 6465->6467 6468 90da958 12 API calls 6465->6468 6466 90da505 6466->6451 6467->6466 6468->6466 6470 90da950 6469->6470 6471 90da9a0 6470->6471 6501 90dabcf 6470->6501 6506 90dafb3 6470->6506 6511 90db293 6470->6511 6517 90dafd7 6470->6517 6524 90db495 6470->6524 6529 90daea2 6470->6529 6534 90db1e3 6470->6534 6539 90db583 6470->6539 6544 90daae0 6470->6544 6549 90dada6 6470->6549 6554 90db105 6470->6554 6559 90dae6b 6470->6559 6564 90db42e 6470->6564 6471->6461 6486 90da972 6485->6486 6487 90da9a0 6486->6487 6488 90dabcf 2 API calls 6486->6488 6489 90db42e 2 API calls 6486->6489 6490 90dae6b 2 API calls 6486->6490 6491 90db105 2 API calls 6486->6491 6492 90dada6 2 API calls 6486->6492 6493 90daae0 2 API calls 6486->6493 6494 90db583 2 API calls 6486->6494 6495 90db1e3 2 API calls 6486->6495 6496 90daea2 2 API calls 6486->6496 6497 90db495 2 API calls 6486->6497 6498 90dafd7 4 API calls 6486->6498 6499 90db293 2 API calls 6486->6499 6500 90dafb3 2 API calls 6486->6500 6487->6461 6488->6487 6489->6487 6490->6487 6491->6487 6492->6487 6493->6487 6494->6487 6495->6487 6496->6487 6497->6487 6498->6487 6499->6487 6500->6487 6502 90dabe0 6501->6502 6503 90dad2d 6502->6503 6569 90d75b8 6502->6569 6573 90d75c0 6502->6573 6507 90daf94 6506->6507 6508 90daea1 6506->6508 6508->6507 6577 90d74f8 6508->6577 6581 90d7500 6508->6581 6512 90db2a0 6511->6512 6513 90db4bb 6511->6513 6585 90d76aa 6513->6585 6589 90d76b0 6513->6589 6514 90db4fd 6514->6471 6593 90db7e0 6517->6593 6598 90db7f0 6517->6598 6518 90dafef 6520 90d76aa ReadProcessMemory 6518->6520 6521 90d76b0 ReadProcessMemory 6518->6521 6519 90db4fd 6519->6471 6520->6519 6521->6519 6525 90db49f 6524->6525 6527 90d76aa ReadProcessMemory 6525->6527 6528 90d76b0 ReadProcessMemory 6525->6528 6526 90db4fd 6526->6471 6527->6526 6528->6526 6531 90daeba 6529->6531 6530 90daf94 6531->6530 6532 90d74f8 VirtualAllocEx 6531->6532 6533 90d7500 VirtualAllocEx 6531->6533 6532->6530 6533->6530 6535 90db1ec 6534->6535 6537 90d75b8 WriteProcessMemory 6535->6537 6538 90d75c0 WriteProcessMemory 6535->6538 6536 90db233 6537->6536 6538->6536 6540 90daf30 6539->6540 6541 90daf94 6539->6541 6542 90d74f8 VirtualAllocEx 6540->6542 6543 90d7500 VirtualAllocEx 6540->6543 6542->6541 6543->6541 6545 90dab21 6544->6545 6611 90d783e 6545->6611 6616 90d7848 6545->6616 6551 90dadc5 6549->6551 6550 90dae42 6551->6550 6552 90d7428 SetThreadContext 6551->6552 6553 90d7420 SetThreadContext 6551->6553 6552->6550 6553->6550 6555 90db10e 6554->6555 6620 90d7378 6555->6620 6624 90d7370 6555->6624 6556 90db149 6560 90dae74 6559->6560 6562 90d7378 ResumeThread 6560->6562 6563 90d7370 ResumeThread 6560->6563 6561 90db149 6562->6561 6563->6561 6565 90db436 6564->6565 6567 90d75b8 WriteProcessMemory 6565->6567 6568 90d75c0 WriteProcessMemory 6565->6568 6566 90db46c 6567->6566 6568->6566 6570 90d7608 WriteProcessMemory 6569->6570 6572 90d765f 6570->6572 6572->6503 6574 90d7608 WriteProcessMemory 6573->6574 6576 90d765f 6574->6576 6576->6503 6578 90d7540 VirtualAllocEx 6577->6578 6580 90d757d 6578->6580 6580->6507 6582 90d7540 VirtualAllocEx 6581->6582 6584 90d757d 6582->6584 6584->6507 6586 90d76b0 ReadProcessMemory 6585->6586 6588 90d773f 6586->6588 6588->6514 6590 90d76fb ReadProcessMemory 6589->6590 6592 90d773f 6590->6592 6592->6514 6594 90db7f0 6593->6594 6603 90d7428 6594->6603 6607 90d7420 6594->6607 6595 90db83c 6595->6518 6599 90db80a 6598->6599 6601 90d7428 SetThreadContext 6599->6601 6602 90d7420 SetThreadContext 6599->6602 6600 90db83c 6600->6518 6601->6600 6602->6600 6604 90d746d SetThreadContext 6603->6604 6606 90d74b5 6604->6606 6606->6595 6608 90d7428 SetThreadContext 6607->6608 6610 90d74b5 6608->6610 6610->6595 6613 90d7839 6611->6613 6612 90d7830 6613->6611 6613->6612 6614 90d7a36 CreateProcessA 6613->6614 6615 90d7a93 6614->6615 6617 90d78d1 CreateProcessA 6616->6617 6619 90d7a93 6617->6619 6621 90d73b8 ResumeThread 6620->6621 6623 90d73e9 6621->6623 6623->6556 6625 90d7364 6624->6625 6625->6624 6626 90d73c2 ResumeThread 6625->6626 6627 90d73e9 6626->6627 6627->6556

                                                                                  Executed Functions

                                                                                  Function 090D783E, Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 90d783e-90d7844 1 90d7839-90d783d 0->1 2 90d7846-90d78dd 0->2 1->0 3 90d7830 1->3 5 90d78df-90d78e9 2->5 6 90d7916-90d7936 2->6 5->6 7 90d78eb-90d78ed 5->7 11 90d796f-90d799e 6->11 12 90d7938-90d7942 6->12 9 90d78ef-90d78f9 7->9 10 90d7910-90d7913 7->10 13 90d78fd-90d790c 9->13 14 90d78fb 9->14 10->6 22 90d79d7-90d7a2f 11->22 23 90d79a0-90d79aa 11->23 12->11 15 90d7944-90d7946 12->15 13->13 16 90d790e 13->16 14->13 17 90d7969-90d796c 15->17 18 90d7948-90d7952 15->18 16->10 17->11 20 90d7954 18->20 21 90d7956-90d7965 18->21 20->21 21->21 24 90d7967 21->24 33 90d7a36-90d7a91 CreateProcessA 22->33 23->22 25 90d79ac-90d79ae 23->25 24->17 26 90d79d1-90d79d4 25->26 27 90d79b0-90d79ba 25->27 26->22 29 90d79bc 27->29 30 90d79be-90d79cd 27->30 29->30 30->30 31 90d79cf 30->31 31->26 34 90d7a9a-90d7b20 33->34 35 90d7a93-90d7a99 33->35 45 90d7b30-90d7b34 34->45 46 90d7b22-90d7b26 34->46 35->34 48 90d7b44-90d7b48 45->48 49 90d7b36-90d7b3a 45->49 46->45 47 90d7b28 46->47 47->45 51 90d7b58-90d7b5c 48->51 52 90d7b4a-90d7b4e 48->52 49->48 50 90d7b3c 49->50 50->48 54 90d7b6e-90d7b75 51->54 55 90d7b5e-90d7b64 51->55 52->51 53 90d7b50 52->53 53->51 56 90d7b8c 54->56 57 90d7b77-90d7b86 54->57 55->54 59 90d7b8d 56->59 57->56 59->59
                                                                                  APIs
                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 090D7A7E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID:
                                                                                  • API String ID: 963392458-0
                                                                                  • Opcode ID: 3a9c9d3b2f72f38b07f1c33aa0e1da0536843480adb0a8d6e67a298f8fdcf134
                                                                                  • Instruction ID: 155a6cdfbf1f95a096e0f5aeec3844d0a7c44c7c0c00f75d51d9f1fc882bfa2e
                                                                                  • Opcode Fuzzy Hash: 3a9c9d3b2f72f38b07f1c33aa0e1da0536843480adb0a8d6e67a298f8fdcf134
                                                                                  • Instruction Fuzzy Hash: A9A13BB2D013198FDB10CFA8C8817DDBBF2BF44314F1489A9E859A7250DB749985CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D7848, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 60 90d7848-90d78dd 62 90d78df-90d78e9 60->62 63 90d7916-90d7936 60->63 62->63 64 90d78eb-90d78ed 62->64 68 90d796f-90d799e 63->68 69 90d7938-90d7942 63->69 66 90d78ef-90d78f9 64->66 67 90d7910-90d7913 64->67 70 90d78fd-90d790c 66->70 71 90d78fb 66->71 67->63 79 90d79d7-90d7a91 CreateProcessA 68->79 80 90d79a0-90d79aa 68->80 69->68 72 90d7944-90d7946 69->72 70->70 73 90d790e 70->73 71->70 74 90d7969-90d796c 72->74 75 90d7948-90d7952 72->75 73->67 74->68 77 90d7954 75->77 78 90d7956-90d7965 75->78 77->78 78->78 81 90d7967 78->81 91 90d7a9a-90d7b20 79->91 92 90d7a93-90d7a99 79->92 80->79 82 90d79ac-90d79ae 80->82 81->74 83 90d79d1-90d79d4 82->83 84 90d79b0-90d79ba 82->84 83->79 86 90d79bc 84->86 87 90d79be-90d79cd 84->87 86->87 87->87 88 90d79cf 87->88 88->83 102 90d7b30-90d7b34 91->102 103 90d7b22-90d7b26 91->103 92->91 105 90d7b44-90d7b48 102->105 106 90d7b36-90d7b3a 102->106 103->102 104 90d7b28 103->104 104->102 108 90d7b58-90d7b5c 105->108 109 90d7b4a-90d7b4e 105->109 106->105 107 90d7b3c 106->107 107->105 111 90d7b6e-90d7b75 108->111 112 90d7b5e-90d7b64 108->112 109->108 110 90d7b50 109->110 110->108 113 90d7b8c 111->113 114 90d7b77-90d7b86 111->114 112->111 116 90d7b8d 113->116 114->113 116->116
                                                                                  APIs
                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 090D7A7E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID:
                                                                                  • API String ID: 963392458-0
                                                                                  • Opcode ID: 943fccbf8c0c460494bd32c1a24833a1bdfdc99fa7be7ac9ba4f0b268b89d4ca
                                                                                  • Instruction ID: d476758b1bbf4d8b7fb43008fc918f17c376894817ae94410afda25e17465769
                                                                                  • Opcode Fuzzy Hash: 943fccbf8c0c460494bd32c1a24833a1bdfdc99fa7be7ac9ba4f0b268b89d4ca
                                                                                  • Instruction Fuzzy Hash: 069149B1D013198FDB10CFA8C881BDEBBF2BF48314F1489A9E859A7250DB749985CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D75B8, Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 117 90d75b8-90d760e 119 90d761e-90d765d WriteProcessMemory 117->119 120 90d7610-90d761c 117->120 122 90d765f-90d7665 119->122 123 90d7666-90d7696 119->123 120->119 122->123
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 090D7650
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3559483778-0
                                                                                  • Opcode ID: 65d5491a53e85df19945f45c5126936bf40ac39293d64dcdeda2e1fba1a3a066
                                                                                  • Instruction ID: ce40194875ae395c91fe0655582a0e34561857fa4db2c05aa9a85ac0a347ba36
                                                                                  • Opcode Fuzzy Hash: 65d5491a53e85df19945f45c5126936bf40ac39293d64dcdeda2e1fba1a3a066
                                                                                  • Instruction Fuzzy Hash: 7B2119B59003599FCF10CFA9C8857DEBBF5FB48314F14882AE959A7240DB789954CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D75C0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 127 90d75c0-90d760e 129 90d761e-90d765d WriteProcessMemory 127->129 130 90d7610-90d761c 127->130 132 90d765f-90d7665 129->132 133 90d7666-90d7696 129->133 130->129 132->133
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 090D7650
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3559483778-0
                                                                                  • Opcode ID: a6e9820778dd69b2d2a923ad27e38dc4123d02f6e2ec04ac7d59ebfe56f7a214
                                                                                  • Instruction ID: 191ea99d682dd0cd937d5e81bc87bb304ad688f532cd53d9354280107439be82
                                                                                  • Opcode Fuzzy Hash: a6e9820778dd69b2d2a923ad27e38dc4123d02f6e2ec04ac7d59ebfe56f7a214
                                                                                  • Instruction Fuzzy Hash: 262107B19003599FCF10CFA9C884BDEBBF5FF48314F54882AE919A7240DB789954CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D7420, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 137 90d7420-90d7473 140 90d7475-90d7481 137->140 141 90d7483-90d74b3 SetThreadContext 137->141 140->141 143 90d74bc-90d74ec 141->143 144 90d74b5-90d74bb 141->144 144->143
                                                                                  APIs
                                                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 090D74A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: ContextThread
                                                                                  • String ID:
                                                                                  • API String ID: 1591575202-0
                                                                                  • Opcode ID: 89c979682255a36436e480418e861ed56e9ac9ba50ad11d6b811ebf945a4ef93
                                                                                  • Instruction ID: 195b7374680688ffda4997d94389203823c8713587db25f0acf720eb10a63cd1
                                                                                  • Opcode Fuzzy Hash: 89c979682255a36436e480418e861ed56e9ac9ba50ad11d6b811ebf945a4ef93
                                                                                  • Instruction Fuzzy Hash: D42139719007099FCB50DFA9C4857EEBBF9EF48224F54842AD819A7340DB78A945CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D76AA, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 148 90d76aa-90d773d ReadProcessMemory 152 90d773f-90d7745 148->152 153 90d7746-90d7776 148->153 152->153
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 090D7730
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID:
                                                                                  • API String ID: 1726664587-0
                                                                                  • Opcode ID: f5e56c0c89a06cb3a1c94ccf7db478aacfd106a8c2f3cce3646012e6f6971cd2
                                                                                  • Instruction ID: a850ee31481132210171c52d241f8fb79e636cd8bc8797e2014b8dcf419734be
                                                                                  • Opcode Fuzzy Hash: f5e56c0c89a06cb3a1c94ccf7db478aacfd106a8c2f3cce3646012e6f6971cd2
                                                                                  • Instruction Fuzzy Hash: B12116B19003199FCB10CFA9C885BDEBBF5FF48314F54882AE919A7240DB389945DFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D7428, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 157 90d7428-90d7473 159 90d7475-90d7481 157->159 160 90d7483-90d74b3 SetThreadContext 157->160 159->160 162 90d74bc-90d74ec 160->162 163 90d74b5-90d74bb 160->163 163->162
                                                                                  APIs
                                                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 090D74A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: ContextThread
                                                                                  • String ID:
                                                                                  • API String ID: 1591575202-0
                                                                                  • Opcode ID: fdb70e03afd9b643a22eca111c526a0b780a50dc20c37baa2a807a5cc02735c6
                                                                                  • Instruction ID: 7f1f0fdaaced8c509d7ec77c1d50872b60293546564492a4d38c8290cbe72f33
                                                                                  • Opcode Fuzzy Hash: fdb70e03afd9b643a22eca111c526a0b780a50dc20c37baa2a807a5cc02735c6
                                                                                  • Instruction Fuzzy Hash: 072118B1D003098FDB50DFA9C4847EEBBF5EF88224F14842AD819A7240DB78A945CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D76B0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 167 90d76b0-90d773d ReadProcessMemory 170 90d773f-90d7745 167->170 171 90d7746-90d7776 167->171 170->171
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 090D7730
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID:
                                                                                  • API String ID: 1726664587-0
                                                                                  • Opcode ID: e5c9ebae16ca19a54c017401fed2d14b5762715eaac5e520a2e60e646684d20b
                                                                                  • Instruction ID: c330c3708d4064895aae5ac8b129d249f57114969df01ebd27866d76fa51cbca
                                                                                  • Opcode Fuzzy Hash: e5c9ebae16ca19a54c017401fed2d14b5762715eaac5e520a2e60e646684d20b
                                                                                  • Instruction Fuzzy Hash: 052116B19003199FCB10CFA9C884BDEBBF5FF48314F50882AE919A7240DB389944CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D7370, Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 175 90d7370-90d7371 176 90d7364 175->176 177 90d7373-90d73bb 175->177 176->175 180 90d73c2-90d73e7 ResumeThread 177->180 181 90d73e9-90d73ef 180->181 182 90d73f0-90d7415 180->182 181->182
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID:
                                                                                  • API String ID: 947044025-0
                                                                                  • Opcode ID: e6855919165f607635938a68cc3830486779cbf3f7831946488a45c596fc70b4
                                                                                  • Instruction ID: f8520e05a665a399b72547790f2f80f891da9ab4329ae38cd97e90f7e400b3de
                                                                                  • Opcode Fuzzy Hash: e6855919165f607635938a68cc3830486779cbf3f7831946488a45c596fc70b4
                                                                                  • Instruction Fuzzy Hash: 3D1146B1D043488FCB10CFA9C8447EEFBF9EF88224F14882AD519A7340DB75A944CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D7500, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 186 90d7500-90d757b VirtualAllocEx 189 90d757d-90d7583 186->189 190 90d7584-90d75a9 186->190 189->190
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 090D756E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: ba28620d29310eeab33fe43a13a7ba102d456d495e8522191bfa621cade45533
                                                                                  • Instruction ID: 8252e3c82d37489547323f057f063dea3175b0ac11f283c57b1b21c6abb266a7
                                                                                  • Opcode Fuzzy Hash: ba28620d29310eeab33fe43a13a7ba102d456d495e8522191bfa621cade45533
                                                                                  • Instruction Fuzzy Hash: 151107719003499FCF10DFA9C844BDFBBF5AF88324F14881AE919A7250DB75A954CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D74F8, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 194 90d74f8-90d757b VirtualAllocEx 197 90d757d-90d7583 194->197 198 90d7584-90d75a9 194->198 197->198
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 090D756E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 9e5e0631201e6cd767bfae630e11275ec1c08e1adf22a92a57270a8abe18fd3d
                                                                                  • Instruction ID: 8927e4fa2229f4cbfe0aa990e2027809eeed8802496037153b4779344e2ae70a
                                                                                  • Opcode Fuzzy Hash: 9e5e0631201e6cd767bfae630e11275ec1c08e1adf22a92a57270a8abe18fd3d
                                                                                  • Instruction Fuzzy Hash: F71137769003499FCF10CFA9C844BDEBBF5AF48324F14881AE529A7250CB799954CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090D7378, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 202 90d7378-90d73e7 ResumeThread 205 90d73e9-90d73ef 202->205 206 90d73f0-90d7415 202->206 205->206
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID:
                                                                                  • API String ID: 947044025-0
                                                                                  • Opcode ID: f47711d7056608796a7cc31f9251e136a284dfe1f6990ab397e5f1bfd6917844
                                                                                  • Instruction ID: 451e75d84036032e475494510b4e5b1188b13181abc2afa2274b0b949b2a2252
                                                                                  • Opcode Fuzzy Hash: f47711d7056608796a7cc31f9251e136a284dfe1f6990ab397e5f1bfd6917844
                                                                                  • Instruction Fuzzy Hash: 87113AB1D003098FCB10DFA9C4447DFFBF9AF88224F14881AD419A7240DB74A944CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090DBC12, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 210 90dbc12-90dbc82 PostMessageW 212 90dbc8b-90dbc9f 210->212 213 90dbc84-90dbc8a 210->213 213->212
                                                                                  APIs
                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 090DBC75
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: 74fa23216d68d2190c68d331b88c9a950d59c677bb0789fe134b05f234162332
                                                                                  • Instruction ID: f6d9e06a8e423f7ecfd533dbe0e7bb6fa1b37997ccc4d26f07a6fc6ff3ef1cd1
                                                                                  • Opcode Fuzzy Hash: 74fa23216d68d2190c68d331b88c9a950d59c677bb0789fe134b05f234162332
                                                                                  • Instruction Fuzzy Hash: 881100B59007499FDB10CF99C885BDEBBF8FB48324F20891AE818A7600C775A944CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 090DBC18, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 215 90dbc18-90dbc82 PostMessageW 216 90dbc8b-90dbc9f 215->216 217 90dbc84-90dbc8a 215->217 217->216
                                                                                  APIs
                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 090DBC75
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: 1ccb8009c1c5dfbc7ae6b199eb516ab48a817b7b8c6710fb0f8665be2e99ef6a
                                                                                  • Instruction ID: 9219c7bf52c3a4b4278669817dcf84e720c50616634889178b2e90e3bac39e74
                                                                                  • Opcode Fuzzy Hash: 1ccb8009c1c5dfbc7ae6b199eb516ab48a817b7b8c6710fb0f8665be2e99ef6a
                                                                                  • Instruction Fuzzy Hash: 8211E2B59007499FDB10CF99C985BDEBBF8FB48324F10881AE914A7600C775A944CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 090D10A5, Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.707078624.00000000090D0000.00000040.00000001.sdmp, Offset: 090D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_90d0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: UUUU
                                                                                  • API String ID: 0-1798160573
                                                                                  • Opcode ID: 8b542ada9b83f78b2064791fc408686403cef9e368ba45bb911dc957f10fc32b
                                                                                  • Instruction ID: cdd68ed272101ca6e0a707ae50656bcca6243c65c0846165485eb45b3e149009
                                                                                  • Opcode Fuzzy Hash: 8b542ada9b83f78b2064791fc408686403cef9e368ba45bb911dc957f10fc32b
                                                                                  • Instruction Fuzzy Hash: 1C519070E152188FDB64CFADC980BCDBBF1AF48310F548299D168E7246D6349A85CF15
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00AD573E, Relevance: .0, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  C-Code - Quality: 64%
                                                                                  			E00AD573E() {
				signed int* _t35;
				signed int* _t36;
				intOrPtr* _t37;
				signed int _t39;
				intOrPtr* _t40;
				signed char _t41;
				signed char _t42;
				signed char _t43;
				signed char _t44;
				signed char _t45;
				signed char _t46;
				signed char _t47;
				void* _t50;
				signed int* _t51;
				intOrPtr* _t52;
				signed char _t53;
				signed int* _t54;
				void* _t56;
				signed int* _t58;
				void* _t59;
				void* _t60;

				asm("adc eax, [eax]");
				asm("adc eax, 0x38000000");
				asm("sbb [eax], al");
				 *_t35 = _t35 +  *_t35;
				 *(_t56 + 0x68) =  *(_t56 + 0x68) | _t47;
				 *_t35 = _t35 +  *_t35;
				_t46 = _t45 |  *_t35;
				asm("sgdt [eax]");
				 *_t35 = _t35 +  *_t35;
				 *_t35 = _t35 +  *_t35;
				_t51 = _t50 + _t46;
				_t36 = _t35;
				 *((char*)(_t60 + _t47)) =  *((char*)(_t60 + _t47)) - 1;
				 *((intOrPtr*)(_t59 + 0x22)) =  *((intOrPtr*)(_t59 + 0x22)) + _t36;
				 *_t36 = _t36 +  *_t36;
				_t51[0] = _t36 + _t51[0];
				 *_t36 = _t36 +  *_t36;
				 *_t36 = _t36 +  *_t36;
				asm("retf");
				 *_t36 = _t36 +  *_t36;
				 *((intOrPtr*)(_t46 + 0x1d000002)) =  *((intOrPtr*)(_t46 + 0x1d000002)) + _t46;
				asm("invalid");
				_t37 =  *((intOrPtr*)(_t59 + 2))(cs, ds, es);
				 *_t37 =  *_t37 + _t37;
				asm("adc [edx], al");
				 *_t37 =  *_t37 + _t37;
				 *_t37 =  *_t37 + _t37;
				asm("invalid");
				 *_t37 =  *_t37 + _t37;
				_t39 =  *_t51 * 0x1e80000;
				 *_t39 =  *_t39 + _t39;
				asm("pushad");
				 *_t39 =  *_t39 + _t39;
				 *((intOrPtr*)(_t59 + 2)) =  *((intOrPtr*)(_t59 + 2)) + _t39;
				 *_t39 =  *_t39 + _t39;
				if ( *_t39 != 0) goto L1;
				 *_t39 =  *_t39 + _t39;
				_t40 =  *_t39;
				 *_t40 =  *_t40 + _t40;
				 *_t40 =  *_t40 + _t40;
				 *0x5b000001 =  *0x5b000001 + _t46;
				asm("invalid");
				 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) + 1;
				asm("invalid");
				asm("xlatb");
				 *_t40 =  *_t40 + _t40;
				_t52 = _t51 + _t51;
				asm("invalid");
				_t41 =  *((intOrPtr*)(_t40 - 0x6fffffff))(0);
				 *_t41 =  *_t41 + _t41;
				 *_t46 =  *_t46 + 1;
				 *_t41 =  *_t41 + _t41;
				 *_t52 =  *_t52 + _t41;
				 *_t41 =  *_t41 + _t41;
				if( *_t41 == 0) {
					 *_t41 =  *_t41 + _t41;
				}
				 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) + _t41;
				asm("invalid");
				 *_t41 =  *_t41 + _t41;
				_pop(es);
				 *_t41 =  *_t41 + _t41;
				 *((intOrPtr*)(_t59 - 0x38fffffe)) =  *((intOrPtr*)(_t59 - 0x38fffffe)) + _t41;
				 *_t41 =  *_t41 + _t41;
				 *0xFFFFFFFFFFFFFFFF =  *((intOrPtr*)(0xffffffffffffffff));
				asm("invalid");
				asm("retf 0x2");
				 *_t41 =  *_t41 + _t41;
				_push(cs);
				 *_t41 =  *_t41 + _t41;
				 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) + _t52;
				asm("invalid");
				 *[es:esi] =  *[es:esi] + _t41;
				asm("adc [edi+ebp*2], eax");
				 *_t58 =  *_t58 + _t41;
				 *((intOrPtr*)(_t46 + 0x58)) =  *((intOrPtr*)(_t46 + 0x58)) + _t52;
				 *_t41 =  *_t41 + _t41;
				_push(es);
				asm("adc eax, [0x1220]");
				_t53 = _t52 + _t46;
				_push(cs);
				_t42 = _t41;
				 *_t42 =  *_t42 + 1;
				_push(es);
				asm("adc [ecx], ecx");
				asm("outsd");
				 *_t58 =  *_t58 + _t42;
				 *0 =  *0 & _t53;
				 *_t42 =  *_t42 + _t42;
				_t54 = _t53 + _t46;
				_t43 = _t42;
				es = cs;
				 *_t43 =  *_t43 + _t43;
				 *_t58 =  *_t58 + _t43;
				es = es;
				asm("outsd");
				 *_t58 =  *_t58 + _t43;
				 *_t54 =  *_t54 & _t43;
				 *_t43 =  *_t43 + _t43;
				_push(cs);
				_t44 = _t43;
				asm("invalid");
				 *_t44 =  *_t44 + 1;
				asm("adc [0x366f08], eax");
				 *_t58 =  *_t58 + _t44;
				 *_t58 =  *_t58 & _t44;
				 *_t44 =  *_t44 + _t44;
				 *_t58 =  *_t58 + _t54 + _t46;
				asm("invalid");
				goto ( *__esi);
			}
























                                                                                  0x00ad573f
                                                                                  0x00ad5742
                                                                                  0x00ad5747
                                                                                  0x00ad5749
                                                                                  0x00ad574b
                                                                                  0x00ad574e
                                                                                  0x00ad5750
                                                                                  0x00ad5752
                                                                                  0x00ad5755
                                                                                  0x00ad5758
                                                                                  0x00ad575a
                                                                                  0x00ad575d
                                                                                  0x00ad575f
                                                                                  0x00ad5762
                                                                                  0x00ad5765
                                                                                  0x00ad5767
                                                                                  0x00ad576a
                                                                                  0x00ad576e
                                                                                  0x00ad5770
                                                                                  0x00ad5771
                                                                                  0x00ad5773
                                                                                  0x00ad5779
                                                                                  0x00ad577b
                                                                                  0x00ad577e
                                                                                  0x00ad5780
                                                                                  0x00ad5782
                                                                                  0x00ad5786
                                                                                  0x00ad578a
                                                                                  0x00ad578e
                                                                                  0x00ad5790
                                                                                  0x00ad5796
                                                                                  0x00ad5798
                                                                                  0x00ad5799
                                                                                  0x00ad579b
                                                                                  0x00ad579e
                                                                                  0x00ad57a0
                                                                                  0x00ad57a2
                                                                                  0x00ad57a4
                                                                                  0x00ad57a6
                                                                                  0x00ad57a9
                                                                                  0x00ad57ab
                                                                                  0x00ad57b1
                                                                                  0x00ad57b3
                                                                                  0x00ad57b6
                                                                                  0x00ad57b8
                                                                                  0x00ad57b9
                                                                                  0x00ad57bb
                                                                                  0x00ad57bd
                                                                                  0x00ad57bf
                                                                                  0x00ad57c5
                                                                                  0x00ad57c7
                                                                                  0x00ad57c9
                                                                                  0x00ad57cb
                                                                                  0x00ad57ce
                                                                                  0x00ad57d0
                                                                                  0x00ad57d2
                                                                                  0x00ad57d2
                                                                                  0x00ad57d3
                                                                                  0x00ad57d6
                                                                                  0x00ad57da
                                                                                  0x00ad57dc
                                                                                  0x00ad57dd
                                                                                  0x00ad57df
                                                                                  0x00ad57e5
                                                                                  0x00ad57e7
                                                                                  0x00ad57ea
                                                                                  0x00ad57ec
                                                                                  0x00ad57ef
                                                                                  0x00ad57f1
                                                                                  0x00ad57f2
                                                                                  0x00ad57f4
                                                                                  0x00ad57f9
                                                                                  0x00ad57fb
                                                                                  0x00ad57fe
                                                                                  0x00ad5803
                                                                                  0x00ad5805
                                                                                  0x00ad5808
                                                                                  0x00ad580a
                                                                                  0x00ad580b
                                                                                  0x00ad5811
                                                                                  0x00ad5813
                                                                                  0x00ad5814
                                                                                  0x00ad581a
                                                                                  0x00ad581c
                                                                                  0x00ad581d
                                                                                  0x00ad581f
                                                                                  0x00ad5822
                                                                                  0x00ad5824
                                                                                  0x00ad5826
                                                                                  0x00ad5828
                                                                                  0x00ad582b
                                                                                  0x00ad5833
                                                                                  0x00ad5837
                                                                                  0x00ad583a
                                                                                  0x00ad583c
                                                                                  0x00ad583d
                                                                                  0x00ad5840
                                                                                  0x00ad5842
                                                                                  0x00ad5844
                                                                                  0x00ad5848
                                                                                  0x00ad5849
                                                                                  0x00ad584d
                                                                                  0x00ad584f
                                                                                  0x00ad5851
                                                                                  0x00ad5857
                                                                                  0x00ad5859
                                                                                  0x00ad585b
                                                                                  0x00ad585d
                                                                                  0x00ad5861
                                                                                  0x00ad5863

                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.702006358.0000000000AD2000.00000002.00020000.sdmp, Offset: 00AD0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.701996582.0000000000AD0000.00000002.00020000.sdmp Download File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_ad0000_ozT6Kif37P9Trrb.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 26ee56445a290d4f61f5225cf2ca0c8ba716f89909cd3d4da6f3ab5c1696cdd5
                                                                                  • Instruction ID: ce7ebc288ccd1d5f9d975bdef315df5996587f848fd6c67a02bc6b76e0887bfb
                                                                                  • Opcode Fuzzy Hash: 26ee56445a290d4f61f5225cf2ca0c8ba716f89909cd3d4da6f3ab5c1696cdd5
                                                                                  • Instruction Fuzzy Hash: 0EE0765100E3C08FC30397749C21685BFBAAE07210B0E49CBD4C5DF0B3D01A9A18D7A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Analysis Process: RegSvcs.exe PID: 6852 Parent PID: 968 RegSvcs.exeCOMMON

                                                                                  Execution Graph

                                                                                  Execution Coverage:16.2%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:21
                                                                                  Total number of Limit Nodes:0

                                                                                  Graph

                                                                                  execution_graph 1302 2c61a3c 1304 2c61a48 SearchPathW 1302->1304 1305 2c61bfd 1304->1305 1278 2c604a8 1280 2c604c3 1278->1280 1281 2c60750 1278->1281 1283 2c60755 1281->1283 1282 2c60946 1283->1282 1286 2c619d0 1283->1286 1290 2c619bf 1283->1290 1287 2c619e1 1286->1287 1294 2c60744 1287->1294 1291 2c619d0 1290->1291 1292 2c60744 SearchPathW 1291->1292 1293 2c61a1f 1292->1293 1293->1282 1295 2c61a48 SearchPathW 1294->1295 1297 2c61bfd 1295->1297 1298 2c60498 1299 2c604a8 1298->1299 1300 2c604c3 1299->1300 1301 2c60750 SearchPathW 1299->1301 1301->1300

                                                                                  Executed Functions

                                                                                  Function 02C61A3C, Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 2c61a3c-2c61ac1 3 2c61ac3-2c61ac9 0->3 4 2c61acc-2c61ad3 0->4 3->4 5 2c61ad5-2c61adb 4->5 6 2c61ade-2c61ae7 4->6 5->6 7 2c61af8-2c61b01 6->7 8 2c61ae9-2c61af5 6->8 9 2c61b03-2c61b30 7->9 10 2c61b6e-2c61b72 7->10 8->7 19 2c61b32-2c61b34 9->19 20 2c61b60 9->20 11 2c61b74-2c61b97 10->11 12 2c61b9d-2c61ba8 10->12 11->12 13 2c61bb4-2c61bfb SearchPathW 12->13 14 2c61baa-2c61bb2 12->14 17 2c61c04-2c61c19 13->17 18 2c61bfd-2c61c03 13->18 14->13 30 2c61c2f-2c61c56 17->30 31 2c61c1b-2c61c27 17->31 18->17 22 2c61b56-2c61b5e 19->22 23 2c61b36-2c61b40 19->23 21 2c61b65-2c61b68 20->21 21->10 22->21 25 2c61b44-2c61b52 23->25 26 2c61b42 23->26 25->25 29 2c61b54 25->29 26->25 29->22 34 2c61c66 30->34 35 2c61c58-2c61c5c 30->35 31->30 37 2c61c67 34->37 35->34 36 2c61c5e 35->36 36->34 37->37
                                                                                  APIs
                                                                                  • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 02C61BEB
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000E.00000002.716279219.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_14_2_2c60000_RegSvcs.jbxd
                                                                                  Similarity
                                                                                  • API ID: PathSearch
                                                                                  • String ID:
                                                                                  • API String ID: 2203818243-0
                                                                                  • Opcode ID: 6ef0af4d4eccb93709bf426c8cbbff8e9ff3da1f0ea443e809bb65c14144e747
                                                                                  • Instruction ID: a79126ed2ecea5c319208bac7cc6646d776c714a5e84864c690ad86dbc56e0cc
                                                                                  • Opcode Fuzzy Hash: 6ef0af4d4eccb93709bf426c8cbbff8e9ff3da1f0ea443e809bb65c14144e747
                                                                                  • Instruction Fuzzy Hash: 2B7127B1D006199FDB14CF99C98479DBBF1FF88314F188129E819AB350DB74AA45CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 02C60744, Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 38 2c60744-2c61ac1 41 2c61ac3-2c61ac9 38->41 42 2c61acc-2c61ad3 38->42 41->42 43 2c61ad5-2c61adb 42->43 44 2c61ade-2c61ae7 42->44 43->44 45 2c61af8-2c61b01 44->45 46 2c61ae9-2c61af5 44->46 47 2c61b03-2c61b30 45->47 48 2c61b6e-2c61b72 45->48 46->45 57 2c61b32-2c61b34 47->57 58 2c61b60 47->58 49 2c61b74-2c61b97 48->49 50 2c61b9d-2c61ba8 48->50 49->50 51 2c61bb4-2c61bfb SearchPathW 50->51 52 2c61baa-2c61bb2 50->52 55 2c61c04-2c61c19 51->55 56 2c61bfd-2c61c03 51->56 52->51 68 2c61c2f-2c61c56 55->68 69 2c61c1b-2c61c27 55->69 56->55 60 2c61b56-2c61b5e 57->60 61 2c61b36-2c61b40 57->61 59 2c61b65-2c61b68 58->59 59->48 60->59 63 2c61b44-2c61b52 61->63 64 2c61b42 61->64 63->63 67 2c61b54 63->67 64->63 67->60 72 2c61c66 68->72 73 2c61c58-2c61c5c 68->73 69->68 75 2c61c67 72->75 73->72 74 2c61c5e 73->74 74->72 75->75
                                                                                  APIs
                                                                                  • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 02C61BEB
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000E.00000002.716279219.0000000002C60000.00000040.00000001.sdmp, Offset: 02C60000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_14_2_2c60000_RegSvcs.jbxd
                                                                                  Similarity
                                                                                  • API ID: PathSearch
                                                                                  • String ID:
                                                                                  • API String ID: 2203818243-0
                                                                                  • Opcode ID: 1d64bbb07437c61f5001d7920416886b4859ffaa3ed11e46ddf1fdf4ca1836ad
                                                                                  • Instruction ID: 8e87c59de031ebd264d94d452d2f8656694bf1e832340989e8698bfcd897e6c7
                                                                                  • Opcode Fuzzy Hash: 1d64bbb07437c61f5001d7920416886b4859ffaa3ed11e46ddf1fdf4ca1836ad
                                                                                  • Instruction Fuzzy Hash: 4A7136B1D006199FDB14CF9AC9887ADBBF1FF88314F188129E819A7350DB74AA45CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Analysis Process: dhcpmon.exe PID: 5048 Parent PID: 968 dhcpmon.exeCOMMON

                                                                                  Execution Graph

                                                                                  Execution Coverage:13.7%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:21
                                                                                  Total number of Limit Nodes:0

                                                                                  Graph

                                                                                  execution_graph 1382 de1a3c 1383 de1a48 SearchPathW 1382->1383 1385 de1bfd 1383->1385 1358 de04a8 1359 de04c3 1358->1359 1361 de0750 1358->1361 1362 de0755 1361->1362 1363 de0946 1362->1363 1366 de19bf 1362->1366 1370 de19d0 1362->1370 1367 de19e1 1366->1367 1374 de0744 1367->1374 1371 de19e1 1370->1371 1372 de0744 SearchPathW 1371->1372 1373 de1a1f 1372->1373 1373->1363 1376 de1a48 SearchPathW 1374->1376 1377 de1bfd 1376->1377 1378 de0498 1379 de04a8 1378->1379 1380 de04c3 1379->1380 1381 de0750 SearchPathW 1379->1381 1381->1380

                                                                                  Executed Functions

                                                                                  Function 00DE1A3C, Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 de1a3c-de1ac1 3 de1acc-de1ad3 0->3 4 de1ac3-de1ac9 0->4 5 de1ade-de1ae7 3->5 6 de1ad5-de1adb 3->6 4->3 7 de1af8-de1b01 5->7 8 de1ae9-de1af5 5->8 6->5 9 de1b6e-de1b72 7->9 10 de1b03-de1b30 7->10 8->7 11 de1b9d-de1ba8 9->11 12 de1b74-de1b97 9->12 19 de1b32-de1b34 10->19 20 de1b60 10->20 13 de1baa-de1bb2 11->13 14 de1bb4-de1bfb SearchPathW 11->14 12->11 13->14 17 de1bfd-de1c03 14->17 18 de1c04-de1c19 14->18 17->18 30 de1c2f-de1c56 18->30 31 de1c1b-de1c27 18->31 22 de1b56-de1b5e 19->22 23 de1b36-de1b40 19->23 21 de1b65-de1b68 20->21 21->9 22->21 27 de1b44-de1b52 23->27 28 de1b42 23->28 27->27 29 de1b54 27->29 28->27 29->22 34 de1c58-de1c5c 30->34 35 de1c66 30->35 31->30 34->35 36 de1c5e 34->36 37 de1c67 35->37 36->35 37->37
                                                                                  APIs
                                                                                  • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 00DE1BEB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000012.00000002.720789091.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_18_2_de0000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID: PathSearch
                                                                                  • String ID:
                                                                                  • API String ID: 2203818243-0
                                                                                  • Opcode ID: 564c3fb5d2812aa792c32b9eece0083aaf0780de044b5e533aaab8ffd9df5fdf
                                                                                  • Instruction ID: 490423929964bbb12f7767153f6406de0e1e5f2244ae2d6a43c651f42d67d98c
                                                                                  • Opcode Fuzzy Hash: 564c3fb5d2812aa792c32b9eece0083aaf0780de044b5e533aaab8ffd9df5fdf
                                                                                  • Instruction Fuzzy Hash: 067134B4E002598FDB24DF9AC98479DFBF1BF48314F288129E819AB350DB34A945CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00DE0744, Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 38 de0744-de1ac1 41 de1acc-de1ad3 38->41 42 de1ac3-de1ac9 38->42 43 de1ade-de1ae7 41->43 44 de1ad5-de1adb 41->44 42->41 45 de1af8-de1b01 43->45 46 de1ae9-de1af5 43->46 44->43 47 de1b6e-de1b72 45->47 48 de1b03-de1b30 45->48 46->45 49 de1b9d-de1ba8 47->49 50 de1b74-de1b97 47->50 57 de1b32-de1b34 48->57 58 de1b60 48->58 51 de1baa-de1bb2 49->51 52 de1bb4-de1bfb SearchPathW 49->52 50->49 51->52 55 de1bfd-de1c03 52->55 56 de1c04-de1c19 52->56 55->56 68 de1c2f-de1c56 56->68 69 de1c1b-de1c27 56->69 60 de1b56-de1b5e 57->60 61 de1b36-de1b40 57->61 59 de1b65-de1b68 58->59 59->47 60->59 65 de1b44-de1b52 61->65 66 de1b42 61->66 65->65 67 de1b54 65->67 66->65 67->60 72 de1c58-de1c5c 68->72 73 de1c66 68->73 69->68 72->73 74 de1c5e 72->74 75 de1c67 73->75 74->73 75->75
                                                                                  APIs
                                                                                  • SearchPathW.KERNELBASE(?,?,?,?,00000000,00000000), ref: 00DE1BEB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000012.00000002.720789091.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_18_2_de0000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID: PathSearch
                                                                                  • String ID:
                                                                                  • API String ID: 2203818243-0
                                                                                  • Opcode ID: 9545d9835b07d36eee556e7275a5c779f5e7584feeb392b3e8e6351a76c797d8
                                                                                  • Instruction ID: 6b7f20e0b7e31c3818722b6fdf925f04674fe49c0084a81cbbbf9fbdd207aabd
                                                                                  • Opcode Fuzzy Hash: 9545d9835b07d36eee556e7275a5c779f5e7584feeb392b3e8e6351a76c797d8
                                                                                  • Instruction Fuzzy Hash: 587115B5E002598FDB24DF9AC98479DFBF1BF48314F288029E819AB350D734A945CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Analysis Process: dhcpmon.exe PID: 5324 Parent PID: 3424 dhcpmon.exeCOMMON

                                                                                  Executed Functions

                                                                                  Function 00B80F38, Relevance: .6, Instructions: 578COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.727767396.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_b80000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b8d178e8e586e303c09fad139cdbc63928c52089c6bbc436cea56e3f8d8ffc76
                                                                                  • Instruction ID: 982f0cfd3e4d4d92edf49cfcf810a883d4c9e3b78e62693bff5414f89d0d0b08
                                                                                  • Opcode Fuzzy Hash: b8d178e8e586e303c09fad139cdbc63928c52089c6bbc436cea56e3f8d8ffc76
                                                                                  • Instruction Fuzzy Hash: 17326B74705201CFD714EF74E89066A77E6FBC8309B208978C5468B3A9DB39EC86DB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B80728, Relevance: .4, Instructions: 415COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.727767396.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_b80000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a3a8d1e907ab83f95a0854850de884f70f6ffac3d938bfbd3b9552d4dd64f578
                                                                                  • Instruction ID: 10df7e4cb70ef195095e63501e1cdf3a1cad03d83c986d40e118db739d591821
                                                                                  • Opcode Fuzzy Hash: a3a8d1e907ab83f95a0854850de884f70f6ffac3d938bfbd3b9552d4dd64f578
                                                                                  • Instruction Fuzzy Hash: 3B81C435A143458FDB25ABB4C8147AABBF3EF88305F158569D402977B1DF34AC89DB40
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B80E31, Relevance: .1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.727767396.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_b80000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 97d0c121d60cb90a5ee792e44b22b7e517aa14fc5b818e7f24a67f5b3107056b
                                                                                  • Instruction ID: 95da8fb48278fef502605b70bf4b79b9deb6c4f649ec94110ce63ffaddc176bc
                                                                                  • Opcode Fuzzy Hash: 97d0c121d60cb90a5ee792e44b22b7e517aa14fc5b818e7f24a67f5b3107056b
                                                                                  • Instruction Fuzzy Hash: 39315C707042508FC759AB78C468A6D37E1AF8A21931208BDE506CF7B6DF35EC86CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B80E40, Relevance: .1, Instructions: 81COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.727767396.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_b80000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 07f81cb0ceba63c44d75732f773899d1001c7c8b0d1c1b42ea1d425689d68a84
                                                                                  • Instruction ID: 367cab66d3649d9ac2c19d3edb7a0513cd8285b405af7f2737c79184dd62a7cf
                                                                                  • Opcode Fuzzy Hash: 07f81cb0ceba63c44d75732f773899d1001c7c8b0d1c1b42ea1d425689d68a84
                                                                                  • Instruction Fuzzy Hash: FE21FC747101108FC758AB78C468A5D33E1AF8961931108BCE506CF775DF36EC86CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B817F8, Relevance: .0, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.727767396.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_b80000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 03c84cbd746c8f578e164c3f98c900bf852dd56cb1b5050fd68f8178cca9e060
                                                                                  • Instruction ID: 3929e6c202882b0eeb83256bde3a5643bbdf46f6d87c7a9a81d9a41097996c14
                                                                                  • Opcode Fuzzy Hash: 03c84cbd746c8f578e164c3f98c900bf852dd56cb1b5050fd68f8178cca9e060
                                                                                  • Instruction Fuzzy Hash: 2911A579E042498FCB00EFB8D8449EEBBF1FF89200B11866AE51597662DB349505CB80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B81808, Relevance: .0, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.727767396.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_b80000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8372dcd0349dbe2f251c7a644d80a2138c619f40f95dc2ac27d66399faa1e99a
                                                                                  • Instruction ID: 1c7d6a6fe3192c76e9418bba95fb3fac630e7106ed9c56bfb0b23838b07bb394
                                                                                  • Opcode Fuzzy Hash: 8372dcd0349dbe2f251c7a644d80a2138c619f40f95dc2ac27d66399faa1e99a
                                                                                  • Instruction Fuzzy Hash: F6019E7AE00209DFCB00EFB8D8409EEFBF5FF8D2007118666E51897621EB34A915CB80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B80B9C, Relevance: .0, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.727767396.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_b80000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 283895c950b268e2ebddacb332958ffaa94b1fa263f77beee87ae4f426b27c0c
                                                                                  • Instruction ID: 310ddbfe26f50ae5af65d87786f5af41ef39d303ff54685e5f4ac5338518e2e5
                                                                                  • Opcode Fuzzy Hash: 283895c950b268e2ebddacb332958ffaa94b1fa263f77beee87ae4f426b27c0c
                                                                                  • Instruction Fuzzy Hash: 08F0F870A54305CFDB54ABA4C0597AD7BF0AB08359F2508A9D442A77B1CB74AD88CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B816D8, Relevance: .0, Instructions: 18COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.727767396.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_b80000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 755a810aeac3569c77cb65e46cd5b54387946cfdd97a7050e29d08045af54bb4
                                                                                  • Instruction ID: 0c9834db639601cf2cc289411bda5566c20085eaa72b3130cb595b5cf62f4bc1
                                                                                  • Opcode Fuzzy Hash: 755a810aeac3569c77cb65e46cd5b54387946cfdd97a7050e29d08045af54bb4
                                                                                  • Instruction Fuzzy Hash: 49D012357102149FD714EB79E909A5577ACEB45711F604095E604CB264DA61DC14C7D1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B804A8, Relevance: .0, Instructions: 17COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.727767396.0000000000B80000.00000040.00000001.sdmp, Offset: 00B80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_b80000_dhcpmon.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f466117d095b3f72c25b2223e0458ce9f62e76dc2f7deb0f5d7a61c4ff9f31d3
                                                                                  • Instruction ID: de55fb953b9a2228fe89dabb4387a0912e8301abce01041d157a1b7d7ff493eb
                                                                                  • Opcode Fuzzy Hash: f466117d095b3f72c25b2223e0458ce9f62e76dc2f7deb0f5d7a61c4ff9f31d3
                                                                                  • Instruction Fuzzy Hash: 35D067B1D14229AF8B80EFB999051DEBBF8EA08251B1045A6DA1AE3210E6705A14DBD1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions