Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Receipt#502.exe

Overview

General Information

Sample Name:Receipt#502.exe
Analysis ID:323033
MD5:e2e26573196fd444c8845d29e73a6b00
SHA1:8a2fc9e82c11d234e74846451b12c73d69dea955
SHA256:40fe69be55041a8607bf2596d0fa649ab26f6d6bd6973fb955f14f4e8a066b6c
Tags:exeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Receipt#502.exe (PID: 4636 cmdline: 'C:\Users\user\Desktop\Receipt#502.exe' MD5: E2E26573196FD444C8845D29E73A6B00)
    • schtasks.exe (PID: 1384 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5476 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • RegSvcs.exe (PID: 5480 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0x211a:$a: NanoCore
  • 0x213f:$a: NanoCore
  • 0x2198:$a: NanoCore
  • 0x12335:$a: NanoCore
  • 0x1235b:$a: NanoCore
  • 0x123b7:$a: NanoCore
  • 0x1f20c:$a: NanoCore
  • 0x1f265:$a: NanoCore
  • 0x1f298:$a: NanoCore
  • 0x1f4c4:$a: NanoCore
  • 0x1f540:$a: NanoCore
  • 0x1fb59:$a: NanoCore
  • 0x1fca2:$a: NanoCore
  • 0x20176:$a: NanoCore
  • 0x2045d:$a: NanoCore
  • 0x20474:$a: NanoCore
  • 0x237fd:$a: NanoCore
  • 0x24bb7:$a: NanoCore
  • 0x24c01:$a: NanoCore
  • 0x2585b:$a: NanoCore
  • 0x2ae40:$a: NanoCore
00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x13056d:$x1: NanoCore.ClientPluginHost
  • 0x1305aa:$x2: IClientNetworkHost
  • 0x1340dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1302d5:$a: NanoCore
    • 0x1302e5:$a: NanoCore
    • 0x130519:$a: NanoCore
    • 0x13052d:$a: NanoCore
    • 0x13056d:$a: NanoCore
    • 0x130334:$b: ClientPlugin
    • 0x130536:$b: ClientPlugin
    • 0x130576:$b: ClientPlugin
    • 0x13045b:$c: ProjectData
    • 0x130e62:$d: DESCrypto
    • 0x13882e:$e: KeepAlive
    • 0x13681c:$g: LogClientMessage
    • 0x132a17:$i: get_Connected
    • 0x131198:$j: #=q
    • 0x1311c8:$j: #=q
    • 0x1311e4:$j: #=q
    • 0x131214:$j: #=q
    • 0x131230:$j: #=q
    • 0x13124c:$j: #=q
    • 0x13127c:$j: #=q
    • 0x131298:$j: #=q
    00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1e881d:$x1: NanoCore.ClientPluginHost
    • 0x1e885a:$x2: IClientNetworkHost
    • 0x1ec38d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 8 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5480, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Receipt#502.exe' , ParentImage: C:\Users\user\Desktop\Receipt#502.exe, ParentProcessId: 4636, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp', ProcessId: 1384

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\NeKPJNb.exeReversingLabs: Detection: 20%
    Multi AV Scanner detection for submitted fileShow sources
    Source: Receipt#502.exeReversingLabs: Detection: 20%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORY
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 4x nop then jmp 0287C3FAh0_2_0287B69F

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49709 -> 185.244.30.221:2078
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: without.duckdns.org
    Source: global trafficTCP traffic: 192.168.2.5:49709 -> 185.244.30.221:2078
    Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
    Source: unknownDNS traffic detected: queries for: without.duckdns.org
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: Receipt#502.exe, 00000000.00000003.238406656.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
    Source: Receipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma-e
    Source: Receipt#502.exe, 00000000.00000003.238614597.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
    Source: Receipt#502.exe, 00000000.00000003.238614597.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: Receipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uGu
    Source: Receipt#502.exe, 00000000.00000003.238422196.0000000004F79000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uh
    Source: Receipt#502.exe, 00000000.00000003.238273524.0000000004F86000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
    Source: Receipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coms
    Source: Receipt#502.exe, 00000000.00000003.238614597.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtrWv
    Source: Receipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comu
    Source: Receipt#502.exe, 00000000.00000003.240885938.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: Receipt#502.exe, 00000000.00000003.241659047.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers$=
    Source: Receipt#502.exe, 00000000.00000003.240941777.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers-
    Source: Receipt#502.exe, 00000000.00000003.240647661.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: Receipt#502.exe, 00000000.00000003.240614990.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
    Source: Receipt#502.exe, 00000000.00000003.241659047.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
    Source: Receipt#502.exe, 00000000.00000003.241049835.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersf=
    Source: Receipt#502.exe, 00000000.00000003.241857098.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
    Source: Receipt#502.exe, 00000000.00000003.241857098.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersx=
    Source: Receipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
    Source: Receipt#502.exe, 00000000.00000003.251857385.0000000004F70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
    Source: Receipt#502.exe, 00000000.00000003.251857385.0000000004F70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasv
    Source: Receipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
    Source: Receipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
    Source: Receipt#502.exe, 00000000.00000003.240885938.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldF
    Source: Receipt#502.exe, 00000000.00000003.251857385.0000000004F70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
    Source: Receipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: Receipt#502.exe, 00000000.00000003.237720086.0000000004F80000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnIT
    Source: Receipt#502.exe, 00000000.00000003.237743636.000000000114B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
    Source: Receipt#502.exe, 00000000.00000003.237720086.0000000004F80000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntteI
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
    Source: Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
    Source: Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
    Source: Receipt#502.exe, 00000000.00000003.242763996.0000000004FA5000.00000004.00000001.sdmp, Receipt#502.exe, 00000000.00000003.242740004.0000000004FA5000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
    Source: Receipt#502.exe, 00000000.00000003.243733741.0000000004FA9000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.m
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: Receipt#502.exe, 00000000.00000003.238223808.0000000004F83000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: RegSvcs.exe PID: 5480, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_07F51C52 NtQuerySystemInformation,0_2_07F51C52
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_07F51C18 NtQuerySystemInformation,0_2_07F51C18
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_0287B69F0_2_0287B69F
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_02872AEC0_2_02872AEC
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_0287A03D0_2_0287A03D
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_028717390_2_02871739
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_0287A4D90_2_0287A4D9
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_0287A0510_2_0287A051
    Source: Receipt#502.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: NeKPJNb.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Receipt#502.exeBinary or memory string: OriginalFilename vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.251961319.0000000000562000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWd.exe2 vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.258409433.0000000007F20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.258056962.0000000006BF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.258056962.0000000006BF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.258250701.0000000007EC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Receipt#502.exe
    Source: Receipt#502.exe, 00000000.00000002.257944997.0000000006B90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Receipt#502.exe
    Source: Receipt#502.exeBinary or memory string: OriginalFilenameWd.exe2 vs Receipt#502.exe
    Source: 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: RegSvcs.exe PID: 5480, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Receipt#502.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: NeKPJNb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@2/2
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_07F51782 AdjustTokenPrivileges,0_2_07F51782
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_07F5174B AdjustTokenPrivileges,0_2_07F5174B
    Source: C:\Users\user\Desktop\Receipt#502.exeFile created: C:\Users\user\AppData\Roaming\NeKPJNb.exeJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{17fd7e7e-3990-4c53-9987-94767303fd64}
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
    Source: C:\Users\user\Desktop\Receipt#502.exeMutant created: \Sessions\1\BaseNamedObjects\hiXqVUTdIiJejPpdAJEytXszilO
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1140:120:WilError_01
    Source: C:\Users\user\Desktop\Receipt#502.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD3E9.tmpJump to behavior
    Source: Receipt#502.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Receipt#502.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Receipt#502.exeReversingLabs: Detection: 20%
    Source: C:\Users\user\Desktop\Receipt#502.exeFile read: C:\Users\user\Desktop\Receipt#502.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Receipt#502.exe 'C:\Users\user\Desktop\Receipt#502.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
    Source: Receipt#502.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: C:\Users\user\Desktop\Receipt#502.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: Receipt#502.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp
    Source: Binary string: mscorrc.pdb source: Receipt#502.exe, 00000000.00000002.258250701.0000000007EC0000.00000002.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: Receipt#502.exe, SimpleTextEditor/LoginForm.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: NeKPJNb.exe.0.dr, SimpleTextEditor/LoginForm.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.0.Receipt#502.exe.560000.0.unpack, SimpleTextEditor/LoginForm.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 0.2.Receipt#502.exe.560000.0.unpack, SimpleTextEditor/LoginForm.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_005689D0 push ss; iretd 0_2_00568CDA
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_00568119 push 00000000h; iretd 0_2_0056829A
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_00DE2894 push cs; ret 0_2_00DE29AA
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_00DE2E0D push es; ret 0_2_00DE2E0E
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_00DE29AC push cs; ret 0_2_00DE29AA
    Source: C:\Users\user\Desktop\Receipt#502.exeCode function: 0_2_00DE2864 push cs; ret 0_2_00DE29AA
    Source: initial sampleStatic PE information: section name: .text entropy: 7.75101312154
    Source: initial sampleStatic PE information: section name: .text entropy: 7.75101312154
    Source: C:\Users\user\Desktop\Receipt#502.exeFile created: C:\Users\user\AppData\Roaming\NeKPJNb.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM_3Show sources
    Source: Yara matchFile source: 00000000.00000002.253473397.0000000002D49000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORY
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1(R
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1(RF]
    Source: C:\Users\user\Desktop\Receipt#502.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: threadDelayed 814Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 707Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 698Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exe TID: 4632Thread sleep time: -41500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exe TID: 456Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMware|9(r
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: VMWAREX1(rl[
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1(r
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: vmwareX1(r
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMWARE
    Source: RegSvcs.exe, 00000005.00000003.304322811.0000000000F9F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: QEMUX1(r}]
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMWARE|9(r
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: (r#"SOFTWARE\VMware, Inc.\VMware ToolsX1(rI[
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMware |9(r
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
    Source: Receipt#502.exe, 00000000.00000002.253382062.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: (r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1(r
    Source: Receipt#502.exe, 00000000.00000002.253957388.000000000304A000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: B00008Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}Jump to behavior
    Source: RegSvcs.exe, 00000005.00000003.304322811.0000000000F9F000.00000004.00000001.sdmpBinary or memory string: Program Manager.NET\Framework\v2.0.50727\
    Source: RegSvcs.exe, 00000005.00000003.354584389.0000000000F8A000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: RegSvcs.exe, 00000005.00000003.354143378.0000000000F9F000.00000004.00000001.sdmpBinary or memory string: Program ManagerCC
    Source: RegSvcs.exe, 00000005.00000003.304322811.0000000000F9F000.00000004.00000001.sdmpBinary or memory string: Program ManagerX
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Receipt#502.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORY

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: Receipt#502.exe, 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: RegSvcs.exe, 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: Receipt#502.exe PID: 4636, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection312Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection312LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Receipt#502.exe21%ReversingLabsByteCode-MSIL.Trojan.Ursu

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\NeKPJNb.exe21%ReversingLabsByteCode-MSIL.Trojan.Ursu

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.founder.com.cn/cnIT0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.carterandcone.comes0%Avira URL Cloudsafe
    http://www.fontbureau.comsiv0%Avira URL Cloudsafe
    http://www.carterandcone.comn-uGu0%Avira URL Cloudsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.fontbureau.comessed0%URL Reputationsafe
    http://www.fontbureau.comessed0%URL Reputationsafe
    http://www.fontbureau.comessed0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.fontbureau.comldF0%Avira URL Cloudsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.fontbureau.comasv0%Avira URL Cloudsafe
    http://www.monotype.m0%Avira URL Cloudsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/O0%Avira URL Cloudsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.carterandcone.comn-uh0%Avira URL Cloudsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.carterandcone.como.0%URL Reputationsafe
    http://www.carterandcone.como.0%URL Reputationsafe
    http://www.carterandcone.como.0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.founder.com.cn/cntteI0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/Z0%Avira URL Cloudsafe
    http://www.founder.com.cn/cnd0%URL Reputationsafe
    http://www.founder.com.cn/cnd0%URL Reputationsafe
    http://www.founder.com.cn/cnd0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Z0%Avira URL Cloudsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.carterandcone.comd0%URL Reputationsafe
    http://www.carterandcone.comd0%URL Reputationsafe
    http://www.carterandcone.comd0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/S0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
    http://www.carterandcone.comu0%Avira URL Cloudsafe
    http://www.carterandcone.coms0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.carterandcone.coma-e0%Avira URL Cloudsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.fontbureau.comd0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/?0%Avira URL Cloudsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/w0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    without.duckdns.org
    		185.244.30.221
    		truetrue
      		unknown
      g.msn.com
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersGReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
          		high
          http://www.founder.com.cn/cnITReceipt#502.exe, 00000000.00000003.237720086.0000000004F80000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fontbureau.com/designers/?Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bTheReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.carterandcone.comesReceipt#502.exe, 00000000.00000003.238614597.0000000004F74000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers?Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.comsivReceipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.carterandcone.comn-uGuReceipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.tiro.comReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designersReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.comessedReceipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.goodfont.co.krReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comReceipt#502.exe, 00000000.00000003.238406656.0000000004F72000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comldFReceipt#502.exe, 00000000.00000003.240885938.0000000004F72000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.sajatypeworks.comReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.typography.netDReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cTheReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://fontfabrik.comReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersersReceipt#502.exe, 00000000.00000003.241659047.0000000004FA5000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersx=Receipt#502.exe, 00000000.00000003.241857098.0000000004FA5000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comasvReceipt#502.exe, 00000000.00000003.251857385.0000000004F70000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.monotype.mReceipt#502.exe, 00000000.00000003.243733741.0000000004FA9000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designersdReceipt#502.exe, 00000000.00000003.240614990.0000000004FA5000.00000004.00000001.sdmpfalse
                      		high
                      http://www.galapagosdesign.com/DPleaseReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y0Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/OReceipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fonts.comReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.krReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleaseReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comn-uhReceipt#502.exe, 00000000.00000003.238422196.0000000004F79000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.zhongyicts.com.cnReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.como.Receipt#502.exe, 00000000.00000003.238273524.0000000004F86000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.comReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersnReceipt#502.exe, 00000000.00000003.241857098.0000000004FA5000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cntteIReceipt#502.exe, 00000000.00000003.237720086.0000000004F80000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/jp/ZReceipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cndReceipt#502.exe, 00000000.00000003.237743636.000000000114B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/ZReceipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comReceipt#502.exe, 00000000.00000003.240885938.0000000004F72000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comFReceipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comdReceipt#502.exe, 00000000.00000003.238614597.0000000004F74000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/SReceipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/HReceipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comuReceipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comsReceipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.coma-eReceipt#502.exe, 00000000.00000003.238533764.0000000004F74000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comaReceipt#502.exe, 00000000.00000003.251857385.0000000004F70000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comdReceipt#502.exe, 00000000.00000003.241721705.0000000004F72000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/?Receipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comlReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/wReceipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cnReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers-Receipt#502.exe, 00000000.00000003.240941777.0000000004FA5000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/frere-jones.htmlReceipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/rReceipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.monotype.Receipt#502.exe, 00000000.00000003.242763996.0000000004FA5000.00000004.00000001.sdmp, Receipt#502.exe, 00000000.00000003.242740004.0000000004FA5000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.commReceipt#502.exe, 00000000.00000003.251857385.0000000004F70000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Receipt#502.exe, 00000000.00000003.239054630.0000000004F75000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cno.Receipt#502.exe, 00000000.00000003.238223808.0000000004F83000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8Receipt#502.exe, 00000000.00000002.256398475.0000000005120000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/hReceipt#502.exe, 00000000.00000003.239418396.0000000004F7C000.00000004.00000001.sdmpfalse
                                        		unknown
                                        http://www.carterandcone.comtrWvReceipt#502.exe, 00000000.00000003.238614597.0000000004F74000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/Receipt#502.exe, 00000000.00000003.240647661.0000000004FA5000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers$=Receipt#502.exe, 00000000.00000003.241659047.0000000004FA5000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designersf=Receipt#502.exe, 00000000.00000003.241049835.0000000004FA5000.00000004.00000001.sdmpfalse
                                              		high

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              185.244.30.221
                                              		unknownNetherlands
                                              		209623DAVID_CRAIGGGtrue

                                              Private

                                              IP
                                              192.168.2.1

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:323033
                                              Start date:26.11.2020
                                              Start time:08:33:26
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 6m 40s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:Receipt#502.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:24
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@8/8@2/2
                                              EGA Information:Failed
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 97%
                                              • Number of executed functions: 112
                                              • Number of non-executed functions: 2
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 92.122.144.200, 104.43.139.144, 51.11.168.160, 52.147.198.201, 20.54.26.129, 2.20.142.209, 2.20.142.210, 51.103.5.159, 104.43.193.48, 52.142.114.176, 92.122.213.247, 92.122.213.194
                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              08:34:25API Interceptor2x Sleep call for process: Receipt#502.exe modified
                                              08:34:29API Interceptor1018x Sleep call for process: RegSvcs.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              DAVID_CRAIGGGNew PO 64739 (UK).exeGet hashmaliciousBrowse
                                              • 185.140.53.207
                                              90987948.exeGet hashmaliciousBrowse
                                              • 185.244.30.223
                                              tzjEwwwbqK.exeGet hashmaliciousBrowse
                                              • 185.140.53.149
                                              PO456789.exeGet hashmaliciousBrowse
                                              • 185.244.30.212
                                              kelvinx.exeGet hashmaliciousBrowse
                                              • 185.140.53.132
                                              Order-2311.exeGet hashmaliciousBrowse
                                              • 91.193.75.147
                                              YZD221120.exeGet hashmaliciousBrowse
                                              • 91.193.75.147
                                              ORDER #201120A.exeGet hashmaliciousBrowse
                                              • 185.244.30.92
                                              oUI0jQS8xQ.exeGet hashmaliciousBrowse
                                              • 185.140.53.149
                                              Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                              • 185.140.53.139
                                              Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                              • 185.140.53.139
                                              Ups file de.exeGet hashmaliciousBrowse
                                              • 185.140.53.221
                                              NyUnwsFSCa.exeGet hashmaliciousBrowse
                                              • 185.140.53.149
                                              purchase order.exeGet hashmaliciousBrowse
                                              • 185.140.53.233
                                              Remittance Details.xlsGet hashmaliciousBrowse
                                              • 185.140.53.184
                                              PaymentConfirmation.exeGet hashmaliciousBrowse
                                              • 185.140.53.183
                                              ORDER #02676.doc.exeGet hashmaliciousBrowse
                                              • 185.244.30.92
                                              b11305c6ab207f830062f80eeec728c4.exeGet hashmaliciousBrowse
                                              • 185.140.53.233
                                              ShippingDoc.jarGet hashmaliciousBrowse
                                              • 185.244.30.139
                                              1kn1ejwPxi.exeGet hashmaliciousBrowse
                                              • 185.140.53.132

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Receipt#502.exe.log
                                              Process:C:\Users\user\Desktop\Receipt#502.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):641
                                              Entropy (8bit):5.271473536084351
                                              Encrypted:false
                                              SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2u7x5I6Hi0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2I3rOz2T
                                              MD5:C3EC08CD6BEA8576070D5A52B4B6D7D0
                                              SHA1:40B95253F98B3CC5953100C0E71DAC7915094A5A
                                              SHA-256:28B314C3E5651414FD36B2A65B644A2A55F007A34A536BE17514E12CEE5A091B
                                              SHA-512:5B0E6398A092F08240DC6765425E16DB52F32542FF7250E87403C407E54B3660EF93E0EAD17BA2CEF6B666951ACF66FA0EAD61FB52E80867DDD398E8258DED22
                                              Malicious:true
                                              Reputation:moderate, very likely benign file
                                              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\d05d469d89b319a068f2123e7e6f8621\System.Web.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                              C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp
                                              Process:C:\Users\user\Desktop\Receipt#502.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1644
                                              Entropy (8bit):5.172014291604984
                                              Encrypted:false
                                              SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBNETItn:cbhC7ZlNQF/rydbz9I3YODOLNdq3sS
                                              MD5:F033691D15512FA356BEDDA42A45D54B
                                              SHA1:5B87117DDF17EC4B3E69080974D503997D1603D3
                                              SHA-256:B80844A420C52AC3E1ADF3778CB3F173BBF7904D87273DA4C7DAEAE2130FF74E
                                              SHA-512:8EC8BA2E4675657A6494E51BED3A5E65848F7396BE907DE7DDD2D6C939A77C92890DDC2CB6A5862D3A446E7AC1D77A913660229C9F6E589A4764359097F463D7
                                              Malicious:true
                                              Reputation:low
                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):232
                                              Entropy (8bit):7.089541637477408
                                              Encrypted:false
                                              SSDEEP:3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
                                              MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
                                              SHA1:76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
                                              SHA-256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
                                              SHA-512:93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&
                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                              File Type:Non-ISO extended-ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):8
                                              Entropy (8bit):3.0
                                              Encrypted:false
                                              SSDEEP:3:am:am
                                              MD5:36331463881AC56549683D2481AC3E0C
                                              SHA1:35AD2749C9954148597145788A856ACE95B7A02E
                                              SHA-256:D7D3BDD45709C39129DD43B58A1DDC433AF3BA02A7F7771BB71803692E2440C2
                                              SHA-512:679A30939F5E3BE3404D283AC743A27DB5840C815787A7805346D56203E542AD1BB32D2C0027B766D4069647B461EB8323CBA207490823CFBA013A375EA9C0DA
                                              Malicious:true
                                              Reputation:low
                                              Preview: ..v%)..H
                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):24
                                              Entropy (8bit):4.501629167387823
                                              Encrypted:false
                                              SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                              MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                              SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                              SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                              SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: 9iH...}Z.4..f..J".C;"a
                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):5.320159765557392
                                              Encrypted:false
                                              SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                              MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                              SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                              SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                              SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):426832
                                              Entropy (8bit):7.999527918131335
                                              Encrypted:true
                                              SSDEEP:6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
                                              MD5:653DDDCB6C89F6EC51F3DDC0053C5914
                                              SHA1:4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
                                              SHA-256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
                                              SHA-512:27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
                                              Malicious:false
                                              Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
                                              C:\Users\user\AppData\Roaming\NeKPJNb.exe
                                              Process:C:\Users\user\Desktop\Receipt#502.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):696832
                                              Entropy (8bit):7.224549357162399
                                              Encrypted:false
                                              SSDEEP:12288:lb4JO3lL2iNNOhnc4PrvIpMdd2lBKiIQulBt8LFSERr:lb4JO3lL1XWHv9dd2lEiIQ0P88E
                                              MD5:E2E26573196FD444C8845D29E73A6B00
                                              SHA1:8A2FC9E82C11D234E74846451B12C73D69DEA955
                                              SHA-256:40FE69BE55041A8607BF2596D0FA649AB26F6D6BD6973FB955F14F4E8A066B6C
                                              SHA-512:02906FAFFE3BB49E0A936F5D07215FFE8B7CC28B2F65536E17B1B6204AA7966998B4A70BB09BF5A1FDFAA6EFEF6F729FBEABB1A2E3C540CD1965F73EDABC8B78
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 21%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0.................. ... ....@.. ....................................@.....................................O.... ..<............................................................................ ............... ..H............text... .... ...................... ..`.rsrc...<.... ......................@..@.reloc..............................@..B........................H........r...c......x........F...........................................0..G.........}.....(.......(......s....}.....{.....o.....(......{.....{....o.....*..0...........(.....{....{....(.......(....~....vl....,..{....{....o......{....{.....o....o......{....(....}.....o......3..{....{....o.......+....,@..{....{....o....s......{.....{....{....o......{....{....o......*...{....(....o .....{....~....o!....*...{....("...o .....{....~....o!....*...0..+.........,..{.......+....,...{.

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.224549357162399
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:Receipt#502.exe
                                              File size:696832
                                              MD5:e2e26573196fd444c8845d29e73a6b00
                                              SHA1:8a2fc9e82c11d234e74846451b12c73d69dea955
                                              SHA256:40fe69be55041a8607bf2596d0fa649ab26f6d6bd6973fb955f14f4e8a066b6c
                                              SHA512:02906faffe3bb49e0a936f5d07215ffe8b7cc28b2f65536e17b1b6204aa7966998b4a70bb09bf5a1fdfaa6efef6f729fbeabb1a2e3c540cd1965f73edabc8b78
                                              SSDEEP:12288:lb4JO3lL2iNNOhnc4PrvIpMdd2lBKiIQulBt8LFSERr:lb4JO3lL1XWHv9dd2lEiIQ0P88E
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0.................. ... ....@.. ....................................@................................

                                              File Icon

                                              Icon Hash:68f0e46cecf4e1e3

                                              Static PE Info

                                              General

                                              Entrypoint:0x481c1a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x5FBEF892 [Thu Nov 26 00:36:34 2020 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v2.0.50727
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x81bc80x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x29f3c.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x7fc200x7fe00False0.842004979228data7.75101312154IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0x820000x29f3c0x2a000False0.128830682664data4.0760655749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xac0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0x822b00x1f33PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                              RT_ICON0x841e40x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0x94a0c0x94a8data
                                              RT_ICON0x9deb40x5488data
                                              RT_ICON0xa333c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 47359, next used block 4282318848
                                              RT_ICON0xa75640x25a8data
                                              RT_ICON0xa9b0c0x10a8data
                                              RT_ICON0xaabb40x988data
                                              RT_ICON0xab53c0x468GLS_BINARY_LSB_FIRST
                                              RT_GROUP_ICON0xab9a40x84data
                                              RT_VERSION0xaba280x328data
                                              RT_MANIFEST0xabd500x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright 2016 - 2020
                                              Assembly Version1.0.0.0
                                              InternalNameWd.exe
                                              FileVersion1.0.0.0
                                              CompanyNameVendetta Inc.
                                              LegalTrademarks
                                              Comments
                                              ProductNameAku Form
                                              ProductVersion1.0.0.0
                                              FileDescriptionAku Form
                                              OriginalFilenameWd.exe

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              11/26/20-08:34:31.641727TCP2025019ET TROJAN Possible NanoCore C2 60B497092078192.168.2.5185.244.30.221

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 26, 2020 08:34:31.474524975 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:31.582503080 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:31.583118916 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:31.641726971 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:31.797629118 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:31.797771931 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:31.826636076 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:31.868154049 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:31.966736078 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:31.966922998 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.075277090 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.099747896 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.362883091 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.363248110 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.363298893 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.363347054 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.363384008 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.363431931 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.363519907 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.477133989 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.477185965 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.477261066 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.477319956 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.485071898 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.485132933 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.485179901 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.485254049 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.485286951 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.486920118 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.491051912 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.491157055 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.585505009 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.585623026 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.585702896 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.585853100 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.585900068 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.586067915 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.595840931 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.595899105 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.596014023 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.596139908 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.596177101 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.596225977 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.596241951 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.596275091 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.596330881 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.596467018 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.596515894 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.596566916 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.607662916 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.607717037 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.607781887 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.608422995 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.608700991 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.608805895 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.698178053 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.698373079 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.698409081 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.698502064 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.701559067 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.701848030 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.701894045 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.701953888 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.701992035 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.702028990 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.702042103 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.702084064 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.702620029 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.702658892 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.702713966 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.702797890 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.702914953 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.702986002 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.702991009 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.703022957 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.703108072 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.703111887 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.703165054 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.703200102 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.703236103 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.703238010 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.703274965 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.703295946 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.703497887 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.703538895 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.703571081 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.703905106 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.703967094 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.704054117 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.704082966 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.704195976 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.720489025 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.720604897 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.720650911 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.720725060 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.720916033 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.721002102 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.725481033 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.725653887 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.725687981 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.725717068 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.725766897 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.725796938 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.859112978 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.859163046 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.859200954 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.859405041 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.859586954 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.859685898 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.859700918 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.859762907 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.859818935 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.859826088 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.859860897 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.859899044 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.859914064 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.859951019 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860009909 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860013008 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.860063076 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860088110 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860125065 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.860138893 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860189915 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860196114 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.860244036 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860296965 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860300064 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.860342979 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860380888 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860415936 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860424042 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.860454082 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860491991 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860518932 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.860553980 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.860693932 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860737085 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860776901 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860799074 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.860833883 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860888958 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860929012 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.860937119 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.860995054 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861028910 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861059904 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861094952 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.861143112 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.861169100 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861211061 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861241102 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.861248970 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861284971 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861308098 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.861541033 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861584902 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861625910 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.861627102 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861673117 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861690044 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.861711025 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861748934 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.861766100 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.861815929 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.961559057 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.961608887 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.961695910 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.961739063 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.962059975 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.962152004 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.964409113 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.964447021 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.964546919 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.964570045 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.971508026 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.971731901 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.971749067 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.971813917 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.971946955 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.971968889 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.972011089 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.972012043 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.972063065 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.972086906 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.972188950 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.972261906 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.980079889 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.980113983 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.980134010 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.980287075 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.980324030 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.980355978 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.983138084 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.991851091 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.991915941 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.991938114 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.991977930 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992021084 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992034912 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992225885 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992249012 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992294073 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992305994 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992321014 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992366076 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992435932 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992494106 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992502928 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992552996 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992563963 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992589951 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992613077 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992619991 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992634058 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992635965 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992654085 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992655039 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992682934 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992700100 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.992808104 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992829084 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992851019 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992871046 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992892027 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.992944956 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.993035078 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.993242979 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.993262053 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.993289948 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.993344069 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.995215893 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.995244026 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.995296955 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.995330095 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.995388031 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.995507956 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.995527983 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.995549917 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:32.995594978 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:32.995644093 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.073245049 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.073417902 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.100476027 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.100702047 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.105592012 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.105621099 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.105664968 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.105770111 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.105813026 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.105833054 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.105844021 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.105844975 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.105896950 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.105915070 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.106189013 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.230971098 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.230989933 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.231123924 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.231349945 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.231369972 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.231408119 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.231475115 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.231508970 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.231522083 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.231607914 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.231673002 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.231709003 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.231764078 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.234543085 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.234580040 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.234715939 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.234812021 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.234920025 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.234926939 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.234951973 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.235049963 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.235196114 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.235230923 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.235264063 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.235295057 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.235299110 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.235397100 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.236053944 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.236087084 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.236161947 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.236476898 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.236510038 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.236589909 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.236663103 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.236697912 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.236766100 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.237020016 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.290203094 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.366821051 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.366933107 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.366951942 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.366969109 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.366987944 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367067099 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.367121935 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.367429972 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367449999 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367499113 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.367512941 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367528915 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367548943 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367563009 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.367566109 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367583990 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367598057 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.367600918 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367634058 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.367682934 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367733955 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367733955 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.367767096 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367928028 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367944002 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.367981911 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.368007898 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.368155003 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.368205070 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.368222952 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.368238926 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.368273020 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.368287086 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.368294954 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.368323088 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.368341923 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.368395090 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.368453979 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.368520975 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.405168056 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.446347952 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.484486103 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.484509945 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.484524965 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.484625101 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.484891891 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.484909058 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.484921932 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.484937906 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.484954119 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.484985113 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.485018969 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.485095024 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485114098 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485130072 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485146046 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485162973 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485166073 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.485184908 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485187054 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.485240936 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.485369921 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485409975 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485426903 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485440016 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485455990 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485471010 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485477924 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.485487938 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485517025 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.485524893 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485563993 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485578060 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.485600948 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485666037 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485714912 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.485867977 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.485927105 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.573892117 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.598790884 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.598809958 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.598825932 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.598840952 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.598897934 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.598968029 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.598987103 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599001884 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599020004 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.599072933 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.599080086 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.599313974 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599332094 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599351883 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599370003 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599386930 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599401951 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599419117 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599452972 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.599479914 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.599492073 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.599682093 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599701881 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599719048 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599735022 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599751949 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599785089 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.599791050 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599823952 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.599843979 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599862099 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599879026 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599895954 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.599925995 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.599980116 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.600020885 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.600040913 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.600056887 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.600099087 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.600126982 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.754301071 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754344940 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754375935 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754525900 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.754538059 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754566908 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754600048 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754687071 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754767895 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754796028 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754832029 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754925966 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.754951000 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.755099058 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.755125046 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.755136013 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.755276918 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.756388903 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.756417036 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.756580114 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:33.756604910 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.756630898 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.756649017 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:33.756720066 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:34.456377983 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:34.728599072 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:34.826222897 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:34.868412971 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:34.881216049 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:34.981302977 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:35.024616003 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:35.049000025 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:35.073951960 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:35.202275038 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:35.207290888 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:35.325342894 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:35.325568914 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:35.481681108 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:35.481817961 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:35.642334938 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:35.865408897 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:36.040661097 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:36.709655046 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:36.759171009 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:36.791723967 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:36.942044973 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:41.807145119 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:42.118994951 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:42.431421041 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:42.832406998 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:42.884635925 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:42.932396889 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:43.293977022 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:43.337742090 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:46.757107019 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:46.806946039 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:46.919095039 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:47.084784985 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:49.085740089 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:49.135189056 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:51.757755995 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:51.807200909 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:52.027362108 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:52.182099104 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:56.763608932 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:56.807662964 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:57.102413893 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:34:57.151823044 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:57.310870886 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:34:57.542484999 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:01.765510082 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:01.808593988 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:02.355541945 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:02.529999018 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:05.156362057 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:05.199425936 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:06.767143011 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:06.808469057 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:07.404946089 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:07.570861101 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:11.768261909 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:11.808883905 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:12.599472046 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:12.759057045 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:13.187762022 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:13.230889082 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:16.779122114 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:16.824935913 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:17.716672897 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:17.875969887 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:21.273201942 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:21.325335026 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:21.912362099 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:21.965976954 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:22.815999031 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:22.971621037 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:26.915549994 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:26.966617107 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:27.811054945 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:27.972569942 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:29.312022924 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:29.357914925 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:31.916764021 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:31.966793060 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:32.870016098 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:33.047249079 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:36.944087982 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:36.998590946 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:37.401614904 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:37.451611042 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:37.921063900 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:38.127351046 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:41.945821047 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:42.014514923 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:43.026716948 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:43.186227083 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:45.519526005 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:45.561674118 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:46.953491926 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:46.999301910 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:48.063031912 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:48.222491026 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:51.956439018 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:51.999814034 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:53.062922001 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:53.229485989 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:53.640456915 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:53.687516928 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:56.981553078 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:35:57.031356096 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:58.219506979 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:35:58.388233900 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:01.760986090 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:01.813024044 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:02.499999046 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:02.547457933 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:03.219883919 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:03.387655020 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:07.503108025 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:07.547863007 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:08.282937050 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:08.594877958 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:08.907529116 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:09.516863108 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:10.285562992 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:10.329369068 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:12.505353928 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:12.548511028 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:13.314551115 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:13.468118906 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:17.511626005 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:17.564487934 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:18.092870951 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:18.142622948 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:18.362169027 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:18.398057938 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:18.398289919 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:18.554971933 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:22.512947083 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:22.564821005 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:23.425154924 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:23.586024046 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:26.130534887 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:26.174546957 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:27.518171072 CET207849709185.244.30.221192.168.2.5
                                              Nov 26, 2020 08:36:27.565232992 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:28.537692070 CET497092078192.168.2.5185.244.30.221
                                              Nov 26, 2020 08:36:28.694528103 CET207849709185.244.30.221192.168.2.5

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 26, 2020 08:34:31.242402077 CET6217653192.168.2.58.8.8.8
                                              Nov 26, 2020 08:34:31.444324017 CET53621768.8.8.8192.168.2.5
                                              Nov 26, 2020 08:34:35.602926970 CET5959653192.168.2.58.8.8.8
                                              Nov 26, 2020 08:34:35.640588045 CET53595968.8.8.8192.168.2.5
                                              Nov 26, 2020 08:34:37.237322092 CET6529653192.168.2.58.8.8.8
                                              Nov 26, 2020 08:34:37.264524937 CET53652968.8.8.8192.168.2.5
                                              Nov 26, 2020 08:34:39.862066984 CET6318353192.168.2.58.8.8.8
                                              Nov 26, 2020 08:34:39.889306068 CET53631838.8.8.8192.168.2.5
                                              Nov 26, 2020 08:34:51.537843943 CET6015153192.168.2.58.8.8.8
                                              Nov 26, 2020 08:34:51.564810991 CET53601518.8.8.8192.168.2.5
                                              Nov 26, 2020 08:34:52.348002911 CET5696953192.168.2.58.8.8.8
                                              Nov 26, 2020 08:34:52.374954939 CET53569698.8.8.8192.168.2.5
                                              Nov 26, 2020 08:34:54.386253119 CET5516153192.168.2.58.8.8.8
                                              Nov 26, 2020 08:34:54.413346052 CET53551618.8.8.8192.168.2.5
                                              Nov 26, 2020 08:34:55.135413885 CET5475753192.168.2.58.8.8.8
                                              Nov 26, 2020 08:34:55.162417889 CET53547578.8.8.8192.168.2.5
                                              Nov 26, 2020 08:34:57.774050951 CET4999253192.168.2.58.8.8.8
                                              Nov 26, 2020 08:34:57.809693098 CET53499928.8.8.8192.168.2.5
                                              Nov 26, 2020 08:34:59.455619097 CET6007553192.168.2.58.8.8.8
                                              Nov 26, 2020 08:34:59.482768059 CET53600758.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:03.161185980 CET5501653192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:03.188561916 CET53550168.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:05.595487118 CET6434553192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:05.630959988 CET53643458.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:06.143502951 CET5712853192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:06.179116964 CET53571288.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:09.619523048 CET5479153192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:09.655287981 CET53547918.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:10.323987961 CET5046353192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:10.351022005 CET53504638.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:10.471493959 CET5039453192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:10.498734951 CET53503948.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:13.485687017 CET5853053192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:13.536479950 CET53585308.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:15.625456095 CET5381353192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:15.660779953 CET53538138.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:15.928908110 CET6373253192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:15.975043058 CET53637328.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:17.544102907 CET5734453192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:17.571263075 CET53573448.8.8.8192.168.2.5
                                              Nov 26, 2020 08:35:45.001585007 CET5445053192.168.2.58.8.8.8
                                              Nov 26, 2020 08:35:45.028789043 CET53544508.8.8.8192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Nov 26, 2020 08:34:31.242402077 CET192.168.2.58.8.8.80xd3a8Standard query (0)without.duckdns.orgA (IP address)IN (0x0001)
                                              Nov 26, 2020 08:35:13.485687017 CET192.168.2.58.8.8.80xd558Standard query (0)g.msn.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Nov 26, 2020 08:34:31.444324017 CET8.8.8.8192.168.2.50xd3a8No error (0)without.duckdns.org185.244.30.221A (IP address)IN (0x0001)
                                              Nov 26, 2020 08:35:13.536479950 CET8.8.8.8192.168.2.50xd558No error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                                              Code Manipulations

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: Receipt#502.exe PID: 4636 Parent PID: 5656

                                              General

                                              Start time:08:34:20
                                              Start date:26/11/2020
                                              Path:C:\Users\user\Desktop\Receipt#502.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Receipt#502.exe'
                                              Imagebase:0x560000
                                              File size:696832 bytes
                                              MD5 hash:E2E26573196FD444C8845D29E73A6B00
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.254057757.0000000003CD8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.254741913.0000000003EC2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.253473397.0000000002D49000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: schtasks.exe PID: 1384 Parent PID: 4636

                                              General

                                              Start time:08:34:26
                                              Start date:26/11/2020
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NeKPJNb' /XML 'C:\Users\user\AppData\Local\Temp\tmpD3E9.tmp'
                                              Imagebase:0xa10000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 1140 Parent PID: 1384

                                              General

                                              Start time:08:34:27
                                              Start date:26/11/2020
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7ecfc0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: RegSvcs.exe PID: 5476 Parent PID: 4636

                                              General

                                              Start time:08:34:27
                                              Start date:26/11/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                              Wow64 process (32bit):false
                                              Commandline:{path}
                                              Imagebase:0x1e0000
                                              File size:32768 bytes
                                              MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Chronological Activities

                                              Analysis Process: RegSvcs.exe PID: 5480 Parent PID: 4636

                                              General

                                              Start time:08:34:28
                                              Start date:26/11/2020
                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:{path}
                                              Imagebase:0x7ff64e5e0000
                                              File size:32768 bytes
                                              MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.261720988.0000000004293000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                              Reputation:moderate

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: Receipt#502.exe PID: 4636 Parent PID: 5656 Receipt#502.exeCOMMON

                                                Executed Functions

                                                Function 0287B69F, Relevance: 7.0, Strings: 5, Instructions: 781COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: ($K$N$T$X1(r
                                                • API String ID: 0-2249695457
                                                • Opcode ID: 1a266526987d9ec0a0dc342c86f98767a87ef507d800104348801ec5804ed65c
                                                • Instruction ID: b1534c081e0be4dc77d1b33a3f830cba98c7fdcca94578a1e028e01a489bfdb5
                                                • Opcode Fuzzy Hash: 1a266526987d9ec0a0dc342c86f98767a87ef507d800104348801ec5804ed65c
                                                • Instruction Fuzzy Hash: E872EE78D4522DCFDB64DF68C844BEDBBB2AB49308F1090EA810DA7291DB349AC5CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287A03D, Relevance: 2.9, Strings: 2, Instructions: 351COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: K$M
                                                • API String ID: 0-2047567800
                                                • Opcode ID: ec04aa0410939b2acdc006da5155c10d45dd15ffdcddaf0147dc873dc1e917fe
                                                • Instruction ID: 92583573af39c66be4eec74fe64935f366ce0ad33efa02529fe475b06bc4a9ba
                                                • Opcode Fuzzy Hash: ec04aa0410939b2acdc006da5155c10d45dd15ffdcddaf0147dc873dc1e917fe
                                                • Instruction Fuzzy Hash: DBD11B7CC4A21CCEDB18DF64D8487EDBBB1BB4A309F10A1A9D41AE3291D7758A84CF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287A051, Relevance: 2.8, Strings: 2, Instructions: 304COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: K$M
                                                • API String ID: 0-2047567800
                                                • Opcode ID: cf01de854ba5cae51a576089da5243962b33b66a3ffc957bfe58a1a78a86fa3b
                                                • Instruction ID: 1538e2e5b564cfe9a26b3fcfa61a821777f34004e80ec08ce07b192599fe905c
                                                • Opcode Fuzzy Hash: cf01de854ba5cae51a576089da5243962b33b66a3ffc957bfe58a1a78a86fa3b
                                                • Instruction Fuzzy Hash: ABC12978D06318CFDB28DF69D8487EDBBB1BB4A305F1491A9D41AE3291D7348A84CF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287A4D9, Relevance: 2.8, Strings: 2, Instructions: 276COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: K$M
                                                • API String ID: 0-2047567800
                                                • Opcode ID: c3b1dcf947e68bed642209f824b3ed06427e5736f68451b174a9c829fda62c7d
                                                • Instruction ID: e90bcafebebc37c15def8641bcb3f50ac741b157b705bb7233fce35fed9bd6ab
                                                • Opcode Fuzzy Hash: c3b1dcf947e68bed642209f824b3ed06427e5736f68451b174a9c829fda62c7d
                                                • Instruction Fuzzy Hash: F6B14A78D06318CFDB28DF69D8887EDB7B1BB4A305F2091A9D01AE3291D7358A84CF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02872AEC, Relevance: 1.7, Strings: 1, Instructions: 445COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: $g%r
                                                • API String ID: 0-359987751
                                                • Opcode ID: 7c8c1209ffabe8ab619c6d61879b07b957da99b07c5e5f9ecd13453e7a695112
                                                • Instruction ID: dac89498901fcfe0b69f89ac62028df0ccec9d9d2c7d1202257c82aeb702707e
                                                • Opcode Fuzzy Hash: 7c8c1209ffabe8ab619c6d61879b07b957da99b07c5e5f9ecd13453e7a695112
                                                • Instruction Fuzzy Hash: 0222BE7890522CCFDB64DF64C844BEDBBB1BB49304F1081EAD80AA72A5DB719E85CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F5174B, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 07F517CB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: AdjustPrivilegesToken
                                                • String ID:
                                                • API String ID: 2874748243-0
                                                • Opcode ID: dd5e562cf2798e141e3e5cd703950077514eb6d4da7055d1e74f6a698d6be7cb
                                                • Instruction ID: 8def1c898d752004349133c7e0b4428de5bdde539aa3ed4b051a6ba4f231fb3a
                                                • Opcode Fuzzy Hash: dd5e562cf2798e141e3e5cd703950077514eb6d4da7055d1e74f6a698d6be7cb
                                                • Instruction Fuzzy Hash: 5E219FB55097849FDB228F25DC44B52BFB4EF06310F08859AED858F163D374A908CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51C18, Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 07F51C8D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: InformationQuerySystem
                                                • String ID:
                                                • API String ID: 3562636166-0
                                                • Opcode ID: 36f13f179885451e22701e7093e51dbfac1099981dd192ed24405edc576f18c5
                                                • Instruction ID: 3fc14854f38e15c019f1cec0f934bbff25c5a55e4a2b3e9414cc3e138c19089a
                                                • Opcode Fuzzy Hash: 36f13f179885451e22701e7093e51dbfac1099981dd192ed24405edc576f18c5
                                                • Instruction Fuzzy Hash: A311DF724097C09FDB228B20DC44A92FFB4EF06320F0984DEEDC44F163D226A908DB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51782, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 07F517CB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: AdjustPrivilegesToken
                                                • String ID:
                                                • API String ID: 2874748243-0
                                                • Opcode ID: c1edd8aee7e612a0e0f902f47e196e7dd3fbe4e16113c90bcea57ebffd2eb53d
                                                • Instruction ID: 846f9cdb8edf54c7e110d22349f15e4813b20b0b63ff0e03190cc9a4116570f6
                                                • Opcode Fuzzy Hash: c1edd8aee7e612a0e0f902f47e196e7dd3fbe4e16113c90bcea57ebffd2eb53d
                                                • Instruction Fuzzy Hash: FD11A0B59106089FDB20CF69D884B66FFE4EF04321F08C5AAEE468B652D331E418CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51C52, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 07F51C8D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: InformationQuerySystem
                                                • String ID:
                                                • API String ID: 3562636166-0
                                                • Opcode ID: eb8a418216007c5db31107822fead75519e0dce33622ad2de5ea3bae3d51e288
                                                • Instruction ID: d5b389f344468755c61f4b9ae92ad9edb680a2df924ba6177a2f54a78e804745
                                                • Opcode Fuzzy Hash: eb8a418216007c5db31107822fead75519e0dce33622ad2de5ea3bae3d51e288
                                                • Instruction Fuzzy Hash: 07018F758106049FDB20CF55D888B65FFA4EF45320F08C59ADE894B252D276B418CF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02871739, Relevance: .2, Instructions: 176COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7604e953d105aa7af606e5b24c25bb87d08e5a242b9b364d759416d97fd701d0
                                                • Instruction ID: 9c91944589a0f2f26d91f6bcf90700464c0e8b205ebb176fdd7e7b01d969be8a
                                                • Opcode Fuzzy Hash: 7604e953d105aa7af606e5b24c25bb87d08e5a242b9b364d759416d97fd701d0
                                                • Instruction Fuzzy Hash: 4A71E078E05218CFCB04CFA9C8886AEFBB2FF49304F14856AD458E7655D7349985CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287A894, Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: L$X
                                                • API String ID: 0-312055254
                                                • Opcode ID: ce558864d7d6d980a34e6b12d8b55a722bf909339744f3a9b3023a2b0ae3d45f
                                                • Instruction ID: b91d022eac6dd2a7fb7ac819a5bd4eefe2a63a53950d5c8d24ada5cad9606da6
                                                • Opcode Fuzzy Hash: ce558864d7d6d980a34e6b12d8b55a722bf909339744f3a9b3023a2b0ae3d45f
                                                • Instruction Fuzzy Hash: 8F81F778D4624CDFDB18DFA8C5906EDBBB6EF4A304F209059C41AAB391CB349A42DF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287B114, Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: Q$R
                                                • API String ID: 0-3870444779
                                                • Opcode ID: b989d13e93ce581b889e7c85669cee90ea8dc7bf5f92354c521f3807802bc95a
                                                • Instruction ID: 47c06ba3e064d1a7fdf753f01e5f2d76bd5ef162cab3e36051e043c97b7dd066
                                                • Opcode Fuzzy Hash: b989d13e93ce581b889e7c85669cee90ea8dc7bf5f92354c521f3807802bc95a
                                                • Instruction Fuzzy Hash: DE51B17CD5A209DFDB00CFA8D4846EEBBBABB1A308F502559D41AFB251D7709A05CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287B172, Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: Q$R
                                                • API String ID: 0-3870444779
                                                • Opcode ID: 88a3e398f7f9673629a51c7566771915ce80032c573e4b881d37c62a2a17575e
                                                • Instruction ID: 32e9c909670891002bafaa9c4f6b274da77e4c947f5e62ac908014d912d86068
                                                • Opcode Fuzzy Hash: 88a3e398f7f9673629a51c7566771915ce80032c573e4b881d37c62a2a17575e
                                                • Instruction Fuzzy Hash: 3051AE7CD5A20DCFCB00CFA8D8846AEBBBABB1A308F506529D41AFB251D7709905CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F511F7, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 07F512A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: d8c4a6c1e8f62fbf8bed55869355b2207562b79724efd6ba8aab161cf6ea6c99
                                                • Instruction ID: f69ffa635e0f7f0669d85993708919960ac812f919413069085d7e8df4f5adc2
                                                • Opcode Fuzzy Hash: d8c4a6c1e8f62fbf8bed55869355b2207562b79724efd6ba8aab161cf6ea6c99
                                                • Instruction Fuzzy Hash: 323196715043846FEB128B65DC45F67BFBCEF06310F0885AAF985CB152D724A909DB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F50AE6, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTokenInformation.KERNELBASE(?,00000E2C,7D18B50B,00000000,00000000,00000000,00000000), ref: 07F50B90
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: InformationToken
                                                • String ID:
                                                • API String ID: 4114910276-0
                                                • Opcode ID: 75e61aae18678a5420bc31af86abbe530996f508bbfb56efe527c53f212d7d01
                                                • Instruction ID: 8cd36a5eb7b2e2e6fc7947c03bda60d0087cdfcb5753f7a8ee0b94cfb546d768
                                                • Opcode Fuzzy Hash: 75e61aae18678a5420bc31af86abbe530996f508bbfb56efe527c53f212d7d01
                                                • Instruction Fuzzy Hash: B331B5B2505381AFEB228F65DC85F96BFB8EF06310F08449AEA84DB153D624A508DB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEAC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00DEACD1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: 7b13f62d225d0d2ba97cd9639f02822b3884c15c6f32ad0b904b7ee167d5566d
                                                • Instruction ID: 03b4c3f5ee1e836807dbc034b85b3e2c41889d73677aa4faa677c2f74d788d8c
                                                • Opcode Fuzzy Hash: 7b13f62d225d0d2ba97cd9639f02822b3884c15c6f32ad0b904b7ee167d5566d
                                                • Instruction Fuzzy Hash: 7F31B4B25043846FE7228B65CC85FA7BFFCEF15310F0885AAED819B152D264A909CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F50674, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 07F50715
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: de9cdcd330de8bdca7cbe3d8840cbf6b2d0b7a9c8f8d5aab842b7d394264a9c8
                                                • Instruction ID: 6b3d04b2c5a2a1fff631082d9f1227fb50bcbc94113df9f053d1f406beea7427
                                                • Opcode Fuzzy Hash: de9cdcd330de8bdca7cbe3d8840cbf6b2d0b7a9c8f8d5aab842b7d394264a9c8
                                                • Instruction Fuzzy Hash: 96314DB1504240AFE722CF65DC44B66BFE8EF05220F0885AAEE859B252D775E409CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F50496, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexW.KERNELBASE(?,?), ref: 07F5053D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: CreateMutex
                                                • String ID:
                                                • API String ID: 1964310414-0
                                                • Opcode ID: ee92b85c8c22f5d2b5938d431246dac48e8b780680b8914991650a2a3a34a3f6
                                                • Instruction ID: e93d664b1b1380ca39625829d28375a9d6d7a6da429c5809c4ef83875b796910
                                                • Opcode Fuzzy Hash: ee92b85c8c22f5d2b5938d431246dac48e8b780680b8914991650a2a3a34a3f6
                                                • Instruction Fuzzy Hash: E6318FB15097806FE712CB25DC84F56BFF8EF06310F1984AAE9848B293D764A909CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEAD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.KERNELBASE(?,00000E2C,7D18B50B,00000000,00000000,00000000,00000000), ref: 00DEADD4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: QueryValue
                                                • String ID:
                                                • API String ID: 3660427363-0
                                                • Opcode ID: ecdf896640183538e435e332e8731432e942e5cccb9e45af1f140f4c1589e754
                                                • Instruction ID: e5fa9b05f785644c076118e7a2fb2d5fbc35230d6cac21b58f9e8bbba1596eb1
                                                • Opcode Fuzzy Hash: ecdf896640183538e435e332e8731432e942e5cccb9e45af1f140f4c1589e754
                                                • Instruction Fuzzy Hash: 983193715097846FE722CB65CC84FA2BFB8EF06710F08849AE985CB153D364E949CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEA2AC, Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 00DEA346
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 823d885db52d21e6f80d84b2e643c9cf7ec89471f0dabd8e6be84da8c58f7399
                                                • Instruction ID: e9f4d4fca183bfa91915fe194e5e0fa3cb002a24ab1a91ca4f8bb4835c566e1a
                                                • Opcode Fuzzy Hash: 823d885db52d21e6f80d84b2e643c9cf7ec89471f0dabd8e6be84da8c58f7399
                                                • Instruction Fuzzy Hash: 35317E7140E3C16FD3138B259C55A22BFB4EF47620F0A41DBE984CB5A3D229A919C7B2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51A7C, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                Download Yara Rule
                                                APIs
                                                • TerminateProcess.KERNELBASE(?,00000E2C,7D18B50B,00000000,00000000,00000000,00000000), ref: 07F51B10
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: ProcessTerminate
                                                • String ID:
                                                • API String ID: 560597551-0
                                                • Opcode ID: febb482dc4c638cb52081e13b0ba810c50a44553f38f040a1b2a869e7bb03f83
                                                • Instruction ID: 1c70730410df44eb3d124005ff8af6207ac78deea1a94cdfd597e5a3dc9ee2ac
                                                • Opcode Fuzzy Hash: febb482dc4c638cb52081e13b0ba810c50a44553f38f040a1b2a869e7bb03f83
                                                • Instruction Fuzzy Hash: 0621E7B15093846FE7128B64DC85BA6BFB8EF42320F0884EBE984DF193D264A505CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F50E17, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 07F50EB3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: OpenPolicy
                                                • String ID:
                                                • API String ID: 2030686058-0
                                                • Opcode ID: dd7be71dc0fc53f1891994fb7d63bb8264615cbb679f71372f066d93e1cc0ec5
                                                • Instruction ID: 37643a81cd9bbf61e8a01f5143dbffcce3af8122ce834e109decc6559b39a879
                                                • Opcode Fuzzy Hash: dd7be71dc0fc53f1891994fb7d63bb8264615cbb679f71372f066d93e1cc0ec5
                                                • Instruction Fuzzy Hash: F521A2B2504344AFEB21CF65DC84F66BFF8EF05310F18849AED849F152D725A508CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F5122A, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 07F512A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: f0957268c8093b816f1e37221e3b1b161c5cfe1d56dd85c42edfcada574d66f3
                                                • Instruction ID: d9d364d0233b2cda4d5b815e002ff2e28cce8b3d084b37434691264bfbb674b1
                                                • Opcode Fuzzy Hash: f0957268c8093b816f1e37221e3b1b161c5cfe1d56dd85c42edfcada574d66f3
                                                • Instruction Fuzzy Hash: 4E21B2B2500204AFEB219F65DC85F6ABBECEF04320F14886AEE45DB551D670E4048BB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F5076C, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileType.KERNELBASE(?,00000E2C,7D18B50B,00000000,00000000,00000000,00000000), ref: 07F50801
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: FileType
                                                • String ID:
                                                • API String ID: 3081899298-0
                                                • Opcode ID: 8714842362ebc4242b01cded7817ec66b7a7aaf16bd33ff8af18ace917223798
                                                • Instruction ID: d7c880df3617b003367476f8a4b67b37b68b8b6aa66ac02fb87fde0ea93b4597
                                                • Opcode Fuzzy Hash: 8714842362ebc4242b01cded7817ec66b7a7aaf16bd33ff8af18ace917223798
                                                • Instruction Fuzzy Hash: 4621F8B58087806FE712CB25DC40BA2BFB8EF46720F0884DAED848F153D624A909C771
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51305, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNELBASE(?), ref: 07F5138C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: a590bfbe1b06ea6f046b128a69ddd7f095f164ad04ca3c06ad8d1d54e3b88402
                                                • Instruction ID: 76db72e714e85b0beca16f61b7e8cb48736fee155ea92bf460ebda3a25661df1
                                                • Opcode Fuzzy Hash: a590bfbe1b06ea6f046b128a69ddd7f095f164ad04ca3c06ad8d1d54e3b88402
                                                • Instruction Fuzzy Hash: F4219FB65093C45FDB12CB35DCA4B92BFB4AF03210F0D84DADD858F263D225A908CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F50696, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 07F50715
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 4e99da9fbadab05a5f96d976a872fd14e2373f573e3b44d1b021cd15fa627537
                                                • Instruction ID: 0a7d6255c712cace97bb526d9a60fea7d31562241f50cc7012991abab3180754
                                                • Opcode Fuzzy Hash: 4e99da9fbadab05a5f96d976a872fd14e2373f573e3b44d1b021cd15fa627537
                                                • Instruction Fuzzy Hash: C3218EB1500640AFEB21DF65DD85B66FBE8EF08310F088569EE858B252D771E404CF75
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEAC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00DEACD1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: 64d35d6a320a00d2a395469c7c06e19fd3cbf5752808a91e5d634fc05c98c689
                                                • Instruction ID: c33f1761a36f88f09db2a6cf9a06d236ce2480f72d4fac743a70ba7240bdc5cf
                                                • Opcode Fuzzy Hash: 64d35d6a320a00d2a395469c7c06e19fd3cbf5752808a91e5d634fc05c98c689
                                                • Instruction Fuzzy Hash: 9421A4B2500604AFE721DB59DC84F6BFBECEF14310F14845AEE459B241D634F9088BB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEBE55, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?), ref: 00DEBED7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: dd7304c8e7526bb90eaac8edb423c4b2f41ddeb9b68a0f47b9ad94dae67fe381
                                                • Instruction ID: 9450b24cbc66e319ce7ff8289bb598cc968cb2e2a8460f02f7dd5e2ffbdd9afe
                                                • Opcode Fuzzy Hash: dd7304c8e7526bb90eaac8edb423c4b2f41ddeb9b68a0f47b9ad94dae67fe381
                                                • Instruction Fuzzy Hash: C62181715057849FDB12CF25DC84B62BFF8EF16720F08859AE9858B163D375E809CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F50E42, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 07F50EB3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: OpenPolicy
                                                • String ID:
                                                • API String ID: 2030686058-0
                                                • Opcode ID: 1b33f1bed7b2283d0389ceefa3a594335d6728c57ba626de5d34584cc488f01f
                                                • Instruction ID: f20813a9cab4b06fa58d710d74c90128efa0cf4e055b4eebe1446feb5d004e3b
                                                • Opcode Fuzzy Hash: 1b33f1bed7b2283d0389ceefa3a594335d6728c57ba626de5d34584cc488f01f
                                                • Instruction Fuzzy Hash: EE21C3B2900204AFEB20DF69DC85F6AFBECEF04310F28846AEE459B241D674E4048B75
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F504CA, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexW.KERNELBASE(?,?), ref: 07F5053D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: CreateMutex
                                                • String ID:
                                                • API String ID: 1964310414-0
                                                • Opcode ID: 736499a00841869cdaad66f20b3198286c481887954ee41a709159e75322b941
                                                • Instruction ID: 08eb1c912e4505feb2c72d5400136a6be623e349bce06eaf35a41eaae9f0ada0
                                                • Opcode Fuzzy Hash: 736499a00841869cdaad66f20b3198286c481887954ee41a709159e75322b941
                                                • Instruction Fuzzy Hash: E8219FB1A00644AFE720DF69DD85F66FBE8EF04320F18846AEE458B242DB70E404CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F5091E, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNELBASE(?,00000E2C,7D18B50B,00000000,00000000,00000000,00000000), ref: 07F5099D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: a74c5b8dcf807d49894b7f2323b0d026204681ac33819dd2b8af18c2a8b322a2
                                                • Instruction ID: 06ebdc2e785c2a1a864b1c3723601e7cb4417ebed8ae4c5020f48e5a75067c9e
                                                • Opcode Fuzzy Hash: a74c5b8dcf807d49894b7f2323b0d026204681ac33819dd2b8af18c2a8b322a2
                                                • Instruction Fuzzy Hash: 7E216272505344AFEB22CF65DC85F57BFB8EF45310F0884AAEA859B152D364A508CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F50B26, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTokenInformation.KERNELBASE(?,00000E2C,7D18B50B,00000000,00000000,00000000,00000000), ref: 07F50B90
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: InformationToken
                                                • String ID:
                                                • API String ID: 4114910276-0
                                                • Opcode ID: eec663fefa946fd8f971742d2d7795a38a875a4fc92dba4feb9653da23dc71fa
                                                • Instruction ID: d187a27b894264099fef04d1282f13e105ba47d45f8fee30274b2af375c50351
                                                • Opcode Fuzzy Hash: eec663fefa946fd8f971742d2d7795a38a875a4fc92dba4feb9653da23dc71fa
                                                • Instruction Fuzzy Hash: 951175B2500205AFEB21CF69DC85FAAFBACEF44320F18846AEE45DB151DB74E5048B71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEAD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.KERNELBASE(?,00000E2C,7D18B50B,00000000,00000000,00000000,00000000), ref: 00DEADD4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: QueryValue
                                                • String ID:
                                                • API String ID: 3660427363-0
                                                • Opcode ID: ebda519916ea332f4ac0b3404a6186e7a8e8a8bdd6f259762eed533df56a22bf
                                                • Instruction ID: 301d3eb2141c28a90e80c30059f8f3781718ab8b20efe2ee481974969de38a71
                                                • Opcode Fuzzy Hash: ebda519916ea332f4ac0b3404a6186e7a8e8a8bdd6f259762eed533df56a22bf
                                                • Instruction Fuzzy Hash: 3021A1B1600644AFE720DE1ACC80FA6BBECEF04710F08845AED458B651D760F804CA72
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F518CD, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • K32EnumProcesses.KERNEL32(?,?,?,7D18B50B,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 07F5193E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: EnumProcesses
                                                • String ID:
                                                • API String ID: 84517404-0
                                                • Opcode ID: 7e3a526afd02eb2d0d441a825bc03953931419cf8c16260e13366f42351a7988
                                                • Instruction ID: a3fb0563694860bbc945002b8bc9651c462659a838acd83d334e8cae3533f6a0
                                                • Opcode Fuzzy Hash: 7e3a526afd02eb2d0d441a825bc03953931419cf8c16260e13366f42351a7988
                                                • Instruction Fuzzy Hash: 43215E765093849FD712CB65DC85B92BFE8EF06220F0984EBE985CF163D264A908CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51B69, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07F51BDC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 681efe4be664f8980bf428733a0cdf8363950693df2b9bad72540c4a4805e2d4
                                                • Instruction ID: 7d3ad9303d1327476e2731b6e1aa7a7243322b3e60373e41e267e4ee0e7937a9
                                                • Opcode Fuzzy Hash: 681efe4be664f8980bf428733a0cdf8363950693df2b9bad72540c4a4805e2d4
                                                • Instruction Fuzzy Hash: 6121DEB55097859FDB228F25DC44A52FFB4EF06210F0880DAED848B263D335E949DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEB42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00DEB4A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoadShim
                                                • String ID:
                                                • API String ID: 1475914169-0
                                                • Opcode ID: 12c89974fb9ed928cd8237dacb3ba826a6cded9819614c57fd42708c177f2f32
                                                • Instruction ID: 2de0677ccd60a3ece8b4da200cd8ec5dbb0cc652b51a3c0309441f68fa117c61
                                                • Opcode Fuzzy Hash: 12c89974fb9ed928cd8237dacb3ba826a6cded9819614c57fd42708c177f2f32
                                                • Instruction Fuzzy Hash: B02190B15097845FDB22CE25DC45B63BFF8EF16724F08808AED848B293D365A908CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51D65, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 07F51DD9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: af5aa92a134318087fa44c951f903e25dccc1f74696791e94f8d53f90a0e0fbd
                                                • Instruction ID: 8d9f94f6b64f1afb4bcefe6ac431c935de3743081293dfed9af072aa89673014
                                                • Opcode Fuzzy Hash: af5aa92a134318087fa44c951f903e25dccc1f74696791e94f8d53f90a0e0fbd
                                                • Instruction Fuzzy Hash: 0A2189724093C49FDB238B25CC44A52BFB4EF17220F0985DAED848F163D225A958DBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51ABA, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • TerminateProcess.KERNELBASE(?,00000E2C,7D18B50B,00000000,00000000,00000000,00000000), ref: 07F51B10
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: ProcessTerminate
                                                • String ID:
                                                • API String ID: 560597551-0
                                                • Opcode ID: f571134687d2ebf7f0f20fd8b22abfc21be4316d52a5ab808d2a99d44f9786fe
                                                • Instruction ID: d091013d24c85efb77cc68cd5519cac6d2a39a086e8cb0714633b490592e70d8
                                                • Opcode Fuzzy Hash: f571134687d2ebf7f0f20fd8b22abfc21be4316d52a5ab808d2a99d44f9786fe
                                                • Instruction Fuzzy Hash: F011A7B1904204AFEB11CF69DC85BAABB98DF44320F18846AEE45DB242E674A4048B71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEA5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DEA666
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 779089c1b2fa0c6673a692541472f2a8e284f3edcbe44945ea32fd9c749608a4
                                                • Instruction ID: da2e1f30dff0cf127b2c3ae9dd1a3d6ea2bf9df9a7835c583cc4cc4116456651
                                                • Opcode Fuzzy Hash: 779089c1b2fa0c6673a692541472f2a8e284f3edcbe44945ea32fd9c749608a4
                                                • Instruction Fuzzy Hash: 7A117271409780AFDB228F55DC44A62FFF4EF4A310F08859EED898B153D275A518DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F5093E, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNELBASE(?,00000E2C,7D18B50B,00000000,00000000,00000000,00000000), ref: 07F5099D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: e2b4a153add7516f90d54d79bb11612bf7f5584b1d12391891e9b15f9595f8bf
                                                • Instruction ID: 90d959be289c5d31481940b13a74c55549ee997159af4473faebba86ce7ff7de
                                                • Opcode Fuzzy Hash: e2b4a153add7516f90d54d79bb11612bf7f5584b1d12391891e9b15f9595f8bf
                                                • Instruction Fuzzy Hash: 7511E7B2900204AFEB21CF65DC81F6AFFA8EF44320F18846AEE459B246C774A404CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51527, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07F5158C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 8cd018b0e4ec232a074ef9339ebbeaff1e94f8c752e39cab6998ae7d2759c2d4
                                                • Instruction ID: db06954625e20837fb4e85ba074cf7ec9cd171895d787e2b00ffad945d48c823
                                                • Opcode Fuzzy Hash: 8cd018b0e4ec232a074ef9339ebbeaff1e94f8c752e39cab6998ae7d2759c2d4
                                                • Instruction Fuzzy Hash: E511E2764097849FDB228F25DC40A52FFB4EF06320F0881DEED858B263C375A558DB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F520F7, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 07F52161
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: feab136c016f6bf658d9d84d13999c62aa8458e8f1cca6477ebebd03df5eabbd
                                                • Instruction ID: 3d9c02e8fffbd3a6de491e8ceef3cf33d7185030066aa9db973a46ffb157602a
                                                • Opcode Fuzzy Hash: feab136c016f6bf658d9d84d13999c62aa8458e8f1cca6477ebebd03df5eabbd
                                                • Instruction Fuzzy Hash: 0D119071509784AFDB228F15DC45B52FFB4EF06324F08849EEE854B163D265A518CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51480, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetThreadContext.KERNELBASE(?,?), ref: 07F514DF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: f91b948ac2383d41b6fbce1293164b8595ce596003413211865faaec52d28097
                                                • Instruction ID: 59b437dfb748c61b33ecb0c6f1c0c5c983280122291ac6b5c67044676a3449a0
                                                • Opcode Fuzzy Hash: f91b948ac2383d41b6fbce1293164b8595ce596003413211865faaec52d28097
                                                • Instruction Fuzzy Hash: 1F11BF755083849FD711CB15CC84B52FFE8EF06320F0880AAED868B262D234E908CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F507AE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileType.KERNELBASE(?,00000E2C,7D18B50B,00000000,00000000,00000000,00000000), ref: 07F50801
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: FileType
                                                • String ID:
                                                • API String ID: 3081899298-0
                                                • Opcode ID: 816366406cda46d45a5846ec73e2db8dc2be9476332d591ff170bda6d1209cb4
                                                • Instruction ID: 7ee270967455cfb9709c411ed8adce2ea09bc8c80045bf93b7246a780580092d
                                                • Opcode Fuzzy Hash: 816366406cda46d45a5846ec73e2db8dc2be9476332d591ff170bda6d1209cb4
                                                • Instruction Fuzzy Hash: 2501D6B1900204AEE720CF25DC85F66FB98EF44721F18C45AEE449B241D774A544CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEBE86, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?), ref: 00DEBED7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: ccfd0a5cb2010136b95459db98bfd9a2a767ae79376d520ce0d0b50b622f6621
                                                • Instruction ID: ee3958f4ea5b19d1ac38cdcbdb58bac86bfd513c493a255186c22130d427afad
                                                • Opcode Fuzzy Hash: ccfd0a5cb2010136b95459db98bfd9a2a767ae79376d520ce0d0b50b622f6621
                                                • Instruction Fuzzy Hash: AF115E715006449FDB20DF66D984B66FBE8EF04720F18846AED858B652D371E404CF71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEAEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00DEAF50
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 4ec266d9f71fc4c9e43bf38d2f35ec0ab3f64776e5dcc634874e3ae6ba244abb
                                                • Instruction ID: 68c9aad09c6c4d0a5761d440dfba212d820201f285a8644472176433209814ae
                                                • Opcode Fuzzy Hash: 4ec266d9f71fc4c9e43bf38d2f35ec0ab3f64776e5dcc634874e3ae6ba244abb
                                                • Instruction Fuzzy Hash: 2F118C72409784AFDB22CF15DC44A52FFB4EF19320F08859EED854B262C375A918CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F518FE, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • K32EnumProcesses.KERNEL32(?,?,?,7D18B50B,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 07F5193E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: EnumProcesses
                                                • String ID:
                                                • API String ID: 84517404-0
                                                • Opcode ID: d4df839395dcbb17013bb48651349e3eef0af6d1f2dca1db2e57fda7450b3077
                                                • Instruction ID: cedaa6ca5e7a6adfffef556732a9ceacb2a510abdfa96b97ebfb3f3f5e86acb2
                                                • Opcode Fuzzy Hash: d4df839395dcbb17013bb48651349e3eef0af6d1f2dca1db2e57fda7450b3077
                                                • Instruction Fuzzy Hash: 7F1161B69002059FDB10CF69D884756FBE8EF44320F08C4AADE498B652D274E444CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEAAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: LongWindow
                                                • String ID:
                                                • API String ID: 1378638983-0
                                                • Opcode ID: dc6968a5327dbc0628811626bd7ff170935e5be8a352e1d10fbbe1efca827bcc
                                                • Instruction ID: 350f33511e81a9377513826d4db14735a9903c7e4c3fb2a92750723ea8f585c4
                                                • Opcode Fuzzy Hash: dc6968a5327dbc0628811626bd7ff170935e5be8a352e1d10fbbe1efca827bcc
                                                • Instruction Fuzzy Hash: AB117C314097849FD722CF15DC85A52FFB4EF46320F08C59AED894B262D375A918CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEA42A, Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 00DEA480
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 9c8cc69df09f6ec492a63c84cfdfed2476f68115f3ce9e618150fa22e16026b1
                                                • Instruction ID: 4631ee507a3c0e2eb5ff63198a02c919579fe3128723d12c795946f95c567cd7
                                                • Opcode Fuzzy Hash: 9c8cc69df09f6ec492a63c84cfdfed2476f68115f3ce9e618150fa22e16026b1
                                                • Instruction Fuzzy Hash: 9D016175409784AFD712CB15DC44B62FFA8DF46720F08809AED895B252D275A908CB72
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51352, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNELBASE(?), ref: 07F5138C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 480cb6e1a2a877dc92213028f2f0f922d03dbc9fff8e327c6937b51029959c64
                                                • Instruction ID: ba7c1df326433c5b6286e50f29823b03c39d6176baa16c08d5a301b62efbe299
                                                • Opcode Fuzzy Hash: 480cb6e1a2a877dc92213028f2f0f922d03dbc9fff8e327c6937b51029959c64
                                                • Instruction Fuzzy Hash: 9301B1B2A042059FDB10CF29D884766FBE8EF00221F0CC4AADE49CF646D274E404CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51B96, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07F51BDC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 1656538d99e789b17c307b0a982bdd17485a00e44d1bf32c454d184cdc9c720a
                                                • Instruction ID: f6c6378647f66f2c592cf051e2dc804ba23eac109e970590fc15080b6acc5a3b
                                                • Opcode Fuzzy Hash: 1656538d99e789b17c307b0a982bdd17485a00e44d1bf32c454d184cdc9c720a
                                                • Instruction Fuzzy Hash: 53016DB56006099FDB20CF19D884B66FBE4EF04320F08C4AAEE458B652D375E458DF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEB45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00DEB4A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoadShim
                                                • String ID:
                                                • API String ID: 1475914169-0
                                                • Opcode ID: c352278dbf6507b243264d2890c7ca08d78d8d9ea08a1fdab6994d8a865432ce
                                                • Instruction ID: a1c05e56cfb865f1d62c24d0cac7e9239c8b9dcb415ff2e3d8b6f24827e0de1d
                                                • Opcode Fuzzy Hash: c352278dbf6507b243264d2890c7ca08d78d8d9ea08a1fdab6994d8a865432ce
                                                • Instruction Fuzzy Hash: 23016D715006408FDB20EE1AD885B22FBE8EF14724F18849AED898B286D374E804CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEA622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DEA666
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 0354a8e2c09217fecfbe75b3c4f7c66be8a57639191ed8ccb8cd5905e2e04a6b
                                                • Instruction ID: 69869c4abaf592c8fdd48687f5568cca21e1d4cb6758e5402573ef1c4d1163af
                                                • Opcode Fuzzy Hash: 0354a8e2c09217fecfbe75b3c4f7c66be8a57639191ed8ccb8cd5905e2e04a6b
                                                • Instruction Fuzzy Hash: AD018B31800A409FDB219F59D844B56FFE4EF48320F08C8AEED894A612D271E414DF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F514A2, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetThreadContext.KERNELBASE(?,?), ref: 07F514DF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: 499500f7503552158e04752cd5fed10211be57229a8908bf728dd182577e0ee4
                                                • Instruction ID: 771d802c236d487e3712522dc489df1028af29ef7e528e2e23ba180fc0f8f00d
                                                • Opcode Fuzzy Hash: 499500f7503552158e04752cd5fed10211be57229a8908bf728dd182577e0ee4
                                                • Instruction Fuzzy Hash: 510171B56146098FEB10CF19D884B66FBE8EF05321F0CC4AADE4A8B656E374E445CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F5154E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07F5158C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: f0763b0721594c30dcb40186c57bc1f55d2e60834652a462aadfe29b2748b4c2
                                                • Instruction ID: 301a18fc22a1516d998978b5aeb433377861ba525aa6e19ad23846177d4e4459
                                                • Opcode Fuzzy Hash: f0763b0721594c30dcb40186c57bc1f55d2e60834652a462aadfe29b2748b4c2
                                                • Instruction Fuzzy Hash: 5C019E725006049FDB218F59D884B66FFA4EF08320F08C49EEE464B652C371E418DF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 00DEA346
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 5fec48d49bdf696d5a49c8c74afb9228b13f00c4f092ed0ef7b50fdd5d3f5f12
                                                • Instruction ID: d1185b89bd6385ed70149faab344a60895474bef4bf85bf65e21e749360996d4
                                                • Opcode Fuzzy Hash: 5fec48d49bdf696d5a49c8c74afb9228b13f00c4f092ed0ef7b50fdd5d3f5f12
                                                • Instruction Fuzzy Hash: A8016271500600ABD610DF1ADC86B26FBE8FB88B20F14815AED085B745E675F515CBE5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F52126, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 07F52161
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 464c013ad1df756c851f4fdedce083a3923832fdd4d33ce80d1eae23a0f0d8a8
                                                • Instruction ID: 2f254a4825a75a4b55f3d9326cbbce9cd34fa32409b15ab45862df0ae5804233
                                                • Opcode Fuzzy Hash: 464c013ad1df756c851f4fdedce083a3923832fdd4d33ce80d1eae23a0f0d8a8
                                                • Instruction Fuzzy Hash: EB01B1B29106009FDB208F15DC84B66FFA4FF05320F08C19EDE454B656C271E418CFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEAF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00DEAF50
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 7591cb66b307f769746d38746ea9e9c3d7a870d48aa22ce67627c25342113497
                                                • Instruction ID: 3e46c4993d6f6768c4ea3857723c3ecf3a9cb2d036514e3c0ff3ab4f85e17d48
                                                • Opcode Fuzzy Hash: 7591cb66b307f769746d38746ea9e9c3d7a870d48aa22ce67627c25342113497
                                                • Instruction Fuzzy Hash: 1E017C714106419FDB219F5AD884B66FFA0EF18320F18C49AED890B662D375E418DFB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07F51D9E, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 07F51DD9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.258429917.0000000007F50000.00000040.00000001.sdmp, Offset: 07F50000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: b4b6e77423f4e23555dcb0b4b5ff3d84cbb3dca8846b85cddeee62112e2d599d
                                                • Instruction ID: bafc75e70cfbb8c2d0f641687ffb6c9ff978b59beae8ea7a62a10f0fb2b7d313
                                                • Opcode Fuzzy Hash: b4b6e77423f4e23555dcb0b4b5ff3d84cbb3dca8846b85cddeee62112e2d599d
                                                • Instruction Fuzzy Hash: 4B018F71910648DFDB20CF55D884B26FFA0EF04321F08C49ADE494B256C375A458CFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEAB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: LongWindow
                                                • String ID:
                                                • API String ID: 1378638983-0
                                                • Opcode ID: 5c9fcfcfb1da66400cd925d8e2c2b79e864d9da1a961f357407dcce684d8d1ce
                                                • Instruction ID: db6e96e4a651ba3e771a0e5556f0678715622890b227e326ddd2ea0dfba6d52d
                                                • Opcode Fuzzy Hash: 5c9fcfcfb1da66400cd925d8e2c2b79e864d9da1a961f357407dcce684d8d1ce
                                                • Instruction Fuzzy Hash: FD01AD314006448FDB20DF0AD884B22FFA0EF44720F18C59ADD8A0B252C2B5E808DFB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DEA44E, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ResumeThread.KERNELBASE(?), ref: 00DEA480
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252461879.0000000000DEA000.00000040.00000001.sdmp, Offset: 00DEA000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 7285cf88ea423a83bbfeceab1aa08c6ae00d8795462ae7c165ddccdd26fec333
                                                • Instruction ID: 48b7ee7bc6bb76f493558c434dbe0fb4f6f65fa0d42a7ca9b8f1eb0e07fa20ef
                                                • Opcode Fuzzy Hash: 7285cf88ea423a83bbfeceab1aa08c6ae00d8795462ae7c165ddccdd26fec333
                                                • Instruction Fuzzy Hash: 41F0A4755146858FDB10DF1AD888765FFE4DF44320F18C0AADD894F296D2B5B404CEB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870F29, Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: X1(r
                                                • API String ID: 0-3909273932
                                                • Opcode ID: 8b8dc7e717fecbfa6c56053e1fa5da4bd0a8f4c77eb3b865af05ceea15b1b631
                                                • Instruction ID: dfa0e9290965a34bd911c581a6e1d70b4a0bed494c54477918b082bef2967068
                                                • Opcode Fuzzy Hash: 8b8dc7e717fecbfa6c56053e1fa5da4bd0a8f4c77eb3b865af05ceea15b1b631
                                                • Instruction Fuzzy Hash: 9541B2B8E05258DFCB44DFA9D844AADBBF2BF49300F14906AE805E73A0DB359941CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870F38, Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: X1(r
                                                • API String ID: 0-3909273932
                                                • Opcode ID: 7fe7c31f9f0bcdbf585cc93d6c430dd1601dc4aad539a00892c2766e423aa830
                                                • Instruction ID: 36f776c09e9d5720eb6f32f79fbd3d4d4f5fe5f83b85758f408d121aa281f303
                                                • Opcode Fuzzy Hash: 7fe7c31f9f0bcdbf585cc93d6c430dd1601dc4aad539a00892c2766e423aa830
                                                • Instruction Fuzzy Hash: B641AFB8E01208DFDB44DFA9D844AADBBF2BF49304F10802AE809E77A0DB359941CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028749DC, Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: B
                                                • API String ID: 0-1255198513
                                                • Opcode ID: a262da2dd2052c50dcc4dc27ddeb05bda7f8a4deabec72edb7ea02d4e198a02a
                                                • Instruction ID: 6b097513bf7a09ff658ca1c38de7c4a3cc2f21e328c325ddfd099efb9b2a6103
                                                • Opcode Fuzzy Hash: a262da2dd2052c50dcc4dc27ddeb05bda7f8a4deabec72edb7ea02d4e198a02a
                                                • Instruction Fuzzy Hash: 88115978806208CFC710DF88C584AA8BBF5FB49349F24A194D44DE7616D335ED95CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02871CA3, Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: V
                                                • API String ID: 0-1342839628
                                                • Opcode ID: 6f33b2a031666aa83b9752fddc5dce230f43e3eb2f0b89b2cee9a3e3e9901779
                                                • Instruction ID: 87a6e55277cbadea1b521a1866eb49644eb5ba716e7087fe448ec5df3987d4fe
                                                • Opcode Fuzzy Hash: 6f33b2a031666aa83b9752fddc5dce230f43e3eb2f0b89b2cee9a3e3e9901779
                                                • Instruction Fuzzy Hash: 02113478C09609EFCB44DFA9D8182ADBFFAEF49300F1091A9C41AE7291D7309A41CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02871CB0, Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: V
                                                • API String ID: 0-1342839628
                                                • Opcode ID: 71a540232fc9e9678911744677ca97fb54b21e4499160c976bc2c76ad8b5837e
                                                • Instruction ID: 11b1d34986713bca7ba1730b8ecda0517ac293e32992fa1cb6660448caabd922
                                                • Opcode Fuzzy Hash: 71a540232fc9e9678911744677ca97fb54b21e4499160c976bc2c76ad8b5837e
                                                • Instruction Fuzzy Hash: 7E1103B8D0920DDBCB44DFA9D8482ADBBFAFB49304F10D169D42AE7290D7709A41CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870100, Relevance: .7, Instructions: 663COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7fbe58d3d16fe05bd1e1a19a787356574b563a3a026e5ac1881dc9497993ff0
                                                • Instruction ID: ab7661cb5a624828d70bb61f9244f46d623a96fa5a89c30aaf903cddeea62da6
                                                • Opcode Fuzzy Hash: a7fbe58d3d16fe05bd1e1a19a787356574b563a3a026e5ac1881dc9497993ff0
                                                • Instruction Fuzzy Hash: 3C62D134A01218DFDB64DB64C984B9DB7B2FF89300F5184E8E549AB361DB35AE89CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870110, Relevance: .7, Instructions: 658COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4176a2f2801215c59a77d935bc218926f59938602d8bfcaf6a2ac4fd2cdc0797
                                                • Instruction ID: 3492c59775ed79b82e5518c5678c01fcec1919b447df63dd6a66ec051070bc06
                                                • Opcode Fuzzy Hash: 4176a2f2801215c59a77d935bc218926f59938602d8bfcaf6a2ac4fd2cdc0797
                                                • Instruction Fuzzy Hash: 1162C134A01218DFDB64DB64C984B9DB7B2FF89300F5184E8E549AB361DB35AE89CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02873D2B, Relevance: .3, Instructions: 278COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7eb67177acf918236742e01cb562de731eba776a25e59a972207c57caa6862c1
                                                • Instruction ID: ce6da9bf70f8297acf10fca02b30eca316e17d9acf3403fb34b3be455e106e95
                                                • Opcode Fuzzy Hash: 7eb67177acf918236742e01cb562de731eba776a25e59a972207c57caa6862c1
                                                • Instruction Fuzzy Hash: 97C15578802249CFDB00DF98C184AADBBF5FB05349F25D1A4E458EB696C3B5E885CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02873D7D, Relevance: .3, Instructions: 273COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d7d80505b3403671b38f6e49e27091930d6c794dee28e54448ade059e88e779
                                                • Instruction ID: 4a51f63b360ac82f9d0226403f4b96e914494fc6c73d47a444753c0fcfc36ee0
                                                • Opcode Fuzzy Hash: 8d7d80505b3403671b38f6e49e27091930d6c794dee28e54448ade059e88e779
                                                • Instruction Fuzzy Hash: 5BC16778801289CFEB00DF98C184AADBBF1FB05359F25D194E448EB656C3B5E885CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02873DAC, Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4eee9b465a7b6ba99ac4576dc3d672c5ac22c8035e50056b143b0dbe4b704c0d
                                                • Instruction ID: 1aabc478b082e39a9513b29c8504fae1bee2c45f726e3dbd21bfb345aa7ca907
                                                • Opcode Fuzzy Hash: 4eee9b465a7b6ba99ac4576dc3d672c5ac22c8035e50056b143b0dbe4b704c0d
                                                • Instruction Fuzzy Hash: CAC15478801249CFDB00DF98C184AADBBF2FB04359F25D194E458EB696C3B9E885CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02871290, Relevance: .2, Instructions: 233COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5fd1ff2fa38873028dfb236c6603218de44e60c57476eab173779f847e0d0fe7
                                                • Instruction ID: ea30d5775c1ff78591b7627561d79694b65c1e1981c87d7c44f873f10fc88782
                                                • Opcode Fuzzy Hash: 5fd1ff2fa38873028dfb236c6603218de44e60c57476eab173779f847e0d0fe7
                                                • Instruction Fuzzy Hash: 5FA10378E04218CFDB25CFA5C888BADBBB2BF46304F1491A9D049BB651C7749A85CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02874EFE, Relevance: .2, Instructions: 218COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a19540e5f7c2b8ecaac57807230bdb964ae80e1813628891b0ecb3c8b19705f
                                                • Instruction ID: 0a4010a7c804f414f9cbb94236dbbdc94beac725bc441ea76f5fbcbc64a028b4
                                                • Opcode Fuzzy Hash: 6a19540e5f7c2b8ecaac57807230bdb964ae80e1813628891b0ecb3c8b19705f
                                                • Instruction Fuzzy Hash: D691BF78D0420DCFDB10CF98C580AEEBBB5FF49318F649119E819EB245D775A986CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02875205, Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4e6339c2e3cc1b2eb8bc0087bea1f3f1deefe0e3bc391ac00bb80f5126588b1
                                                • Instruction ID: 971649248fb202fca999c685f0124218135ef8d57eb332c817683a9423c47afa
                                                • Opcode Fuzzy Hash: b4e6339c2e3cc1b2eb8bc0087bea1f3f1deefe0e3bc391ac00bb80f5126588b1
                                                • Instruction Fuzzy Hash: CC91D0BCD08208DFCB14CF99D084AADBBB6BF49314F949169E819AB351D378E985CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02875ABE, Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3265c36a997b69e4664857426c18af83e23f006933c9c6ff05309203d0240ea5
                                                • Instruction ID: a2425bb255ff5edd8f715e5136fad11818d3b7007ade7c97329eb62dd8ccf72c
                                                • Opcode Fuzzy Hash: 3265c36a997b69e4664857426c18af83e23f006933c9c6ff05309203d0240ea5
                                                • Instruction Fuzzy Hash: 38619EBCA09208EFCB04CFA8D5809ADBBB6FF49314F509569E806AB355D734E955CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02873548, Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7aa417794b3d641a9453118b98c28134533eb005bfc487c28bea99362aa61b0c
                                                • Instruction ID: aae37d3319c10415ba986d034ae5b0a257a45a1213ec3248d10e27cc4975794c
                                                • Opcode Fuzzy Hash: 7aa417794b3d641a9453118b98c28134533eb005bfc487c28bea99362aa61b0c
                                                • Instruction Fuzzy Hash: 3151F3BDD0920CEFCB00CFA9C4847EDBBF5AB49308F1091A9E415E6252D7748A84EF52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02875269, Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 506563988b3971051717efe7e8726340315fa8dfbf1b114d312f252b113f6cda
                                                • Instruction ID: 90a5b60ba5bcf52d678b42dda576e598e04a877a0d69c266cfd49737acd7da74
                                                • Opcode Fuzzy Hash: 506563988b3971051717efe7e8726340315fa8dfbf1b114d312f252b113f6cda
                                                • Instruction Fuzzy Hash: AE51AFBC908208DFCB44CF98D4849ADBBBAFF59324F509169E819AB351D734E985CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02874CA2, Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f2fe1eca18913ebf44b8a1f1c5f8b2867c04bb598293c4b22b79d6203c9d019c
                                                • Instruction ID: c735a8ae99e018a2f096bc5adb993f839503843da5fde821f472e73e5fc12bca
                                                • Opcode Fuzzy Hash: f2fe1eca18913ebf44b8a1f1c5f8b2867c04bb598293c4b22b79d6203c9d019c
                                                • Instruction Fuzzy Hash: AE41D27CE05219DBDB00CF98D480AEDFBBAFF8A308F219555E855E7211D371A945CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02871AD8, Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c7d29551f25e76d12af42afccbe36c309c8acb2c0cd571d71c0eb16117275bd
                                                • Instruction ID: 7b09cd6747969c1b6a62bde731a325d50e8c35dc05f6f145a0ce66bf82c9bf9b
                                                • Opcode Fuzzy Hash: 3c7d29551f25e76d12af42afccbe36c309c8acb2c0cd571d71c0eb16117275bd
                                                • Instruction Fuzzy Hash: 7041E878E05208DBEB14DFA9D848BEDBBF6EF89300F108029E409BB354DB309946CB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02876419, Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 448542617dec9ea79613e8fe26f72ac15a3c51849ec2f25ed96292af87a6b43f
                                                • Instruction ID: fcdec6262bff85754b1a4f40736fb7f711f91cf14a61c1dee47f8946bdd69da7
                                                • Opcode Fuzzy Hash: 448542617dec9ea79613e8fe26f72ac15a3c51849ec2f25ed96292af87a6b43f
                                                • Instruction Fuzzy Hash: 5341E678D04218DFCB18DFA9D544AAEBBB2FF89304F208069D805A7359DB35AD42CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02873594, Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c3d4ee168b4f3d0158dd82c3745f4fa6e1604b00a1e63dd8517e5eeb5f5a063c
                                                • Instruction ID: c7d82d0343f807a9a7a3413bcba65485e4f3e30ea513436c94189cc993580562
                                                • Opcode Fuzzy Hash: c3d4ee168b4f3d0158dd82c3745f4fa6e1604b00a1e63dd8517e5eeb5f5a063c
                                                • Instruction Fuzzy Hash: 2041F47DD09248EFCB00CFA8C584BDCBBB5AF0A308F145099E405E7252D7349A84EF12
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870BF8, Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef1ccbbb52af6a3977696336955e3e0d5bf2fe9167d85b011599a5107d42542a
                                                • Instruction ID: eb76be93766345aad3120847ae9b682a0f9d38b5671329c8181ca24ff0e0298b
                                                • Opcode Fuzzy Hash: ef1ccbbb52af6a3977696336955e3e0d5bf2fe9167d85b011599a5107d42542a
                                                • Instruction Fuzzy Hash: E541C4B4E012489FDB44DFA9D985AAEFBF2FF88300F208169E514A7354DB716941CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028719D8, Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d02a50fbdd840295b039a4c351975828dce8c7eb0f26572019769e4afcb00a2
                                                • Instruction ID: 91518bec05b4951e11492de5ef13d628e0c86b324d5913f2b6404db4f0e36c45
                                                • Opcode Fuzzy Hash: 2d02a50fbdd840295b039a4c351975828dce8c7eb0f26572019769e4afcb00a2
                                                • Instruction Fuzzy Hash: 30210634B042698BCB45EBBD88546AEBBBAAF85700F24405AD409EB381DF309D15C7B5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02874AC0, Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9e6db3c87cc3880778d647c881bd5ceae26011c65c870bddd21250fa50c60c6
                                                • Instruction ID: ae3fc3b9b0c07db386b9be865773f7ddbfd13e49fd72c1b61506e0d07fdee7af
                                                • Opcode Fuzzy Hash: b9e6db3c87cc3880778d647c881bd5ceae26011c65c870bddd21250fa50c60c6
                                                • Instruction Fuzzy Hash: CD3104349092AADFCB03DFA8C450699FBF0EF46300B1442E6D641DF252EB749995CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870C08, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3c5a05935ccf0ecdd79db1ceddc3b79e757bd667fe84749a2efac7ce087ef97
                                                • Instruction ID: 051284832eba6eaf0f98cbe1c0847c2cbba9a8d1f41f8471ca0b85c6da07d30a
                                                • Opcode Fuzzy Hash: a3c5a05935ccf0ecdd79db1ceddc3b79e757bd667fe84749a2efac7ce087ef97
                                                • Instruction Fuzzy Hash: 164182B4E012099FDB44DFAAD981AAEFBF2FF88300F208169E514A7354DB716951CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028723DB, Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d53707076ee5ad33e1d541a4397b7dafda01b388ec2dac8a7859834ca59e922d
                                                • Instruction ID: 0dd1b58bc0f85de822a56bf6cd3fd1f5065e102c4cb37570d99f4c3fc487dd5d
                                                • Opcode Fuzzy Hash: d53707076ee5ad33e1d541a4397b7dafda01b388ec2dac8a7859834ca59e922d
                                                • Instruction Fuzzy Hash: 7E3103B8E04209DFCB04DFA9D491AAEBBF1FF49300F1481AAD819E7355D7359A42CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028722F4, Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5708a07f2ebd895bea622c7d1f546f274c6780667586c1b237c7ea3320e17d80
                                                • Instruction ID: 03f12644713bf42c541063896b850dfadd4310b4ac30279c983032b1289a77ea
                                                • Opcode Fuzzy Hash: 5708a07f2ebd895bea622c7d1f546f274c6780667586c1b237c7ea3320e17d80
                                                • Instruction Fuzzy Hash: 9F219C78E05249DFCB45EFB8C440AADBBB1FF89300F1481A9D409E73A5DB349941CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870007, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 433ecdaff3ae42fe2643369c56bdcd85a44f516b4dbd6c9f3e0f284c49d7f199
                                                • Instruction ID: 3f114b78628cca31c189382652c79cc0b04c9f1a6cf064c2167fbfb1e198c9c0
                                                • Opcode Fuzzy Hash: 433ecdaff3ae42fe2643369c56bdcd85a44f516b4dbd6c9f3e0f284c49d7f199
                                                • Instruction Fuzzy Hash: 0111D06004F3C56FC30797B45C35A6ABFB09E83204B1E59DBE0C1DB1A3C6181A29D336
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02871147, Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 122bb58a428a45f42eed057202ebd55ebf20a4756770796c836fb80f63edd7e7
                                                • Instruction ID: 3d97820a6f1dedebd79612bbbd9c809f29c86336bfcc739481a1c9ecdb6e4828
                                                • Opcode Fuzzy Hash: 122bb58a428a45f42eed057202ebd55ebf20a4756770796c836fb80f63edd7e7
                                                • Instruction Fuzzy Hash: D2213878E08249CFCB05DFE9D8446AEBBB2FB49300F10919AD445AB361DB349905CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0288075C, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252729264.0000000002880000.00000040.00000040.sdmp, Offset: 02880000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 322f0dd3a2eb73d264e85699e4248dc529f453563a975ae1d1116c9de0290952
                                                • Instruction ID: 3e7c665cd67e6d55df103d3106dbf358855cfc78d9cfa011967b81ee0140a260
                                                • Opcode Fuzzy Hash: 322f0dd3a2eb73d264e85699e4248dc529f453563a975ae1d1116c9de0290952
                                                • Instruction Fuzzy Hash: 3311D63D204244DFD715EB24C984B26BB95EB88B08F24C59CE9499B753C77BD807CE51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02871201, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3b639378a877bd854b82c06d8279acfdbe80efb16ce46d7735b0e1c747373a4
                                                • Instruction ID: 73ac627d0de8a970a4671afdcbb3a69ad79d90d175920bd449717d4b2bbe36e5
                                                • Opcode Fuzzy Hash: a3b639378a877bd854b82c06d8279acfdbe80efb16ce46d7735b0e1c747373a4
                                                • Instruction Fuzzy Hash: D9112678E09249DFCB01DFA8D8445AEBBB1FB49300F1091A6D859EB751D7349A50CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02880734, Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252729264.0000000002880000.00000040.00000040.sdmp, Offset: 02880000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 624afdc148b04c8806f9b21251680f065c91b43163fe755eadbfb0fcd4954f97
                                                • Instruction ID: 6bcc0e91fb1600dd9755f1ecb66eaf1c021cd97d856e873b4ebd5ae3df78cff1
                                                • Opcode Fuzzy Hash: 624afdc148b04c8806f9b21251680f065c91b43163fe755eadbfb0fcd4954f97
                                                • Instruction Fuzzy Hash: 8F216D3950D3C58FD7079B20C890B15BFB1AF47618F29C6DED4888B6A3C33A9806DB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02872318, Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2d6b0a36b63a40cdf8e88598732d5892e08b386adbaa9c7aada03f4ccc89413
                                                • Instruction ID: e9da0259ae4aa16c833e40e381d4cd882e5e906c0b734d41e0d3e0f41dfa68ba
                                                • Opcode Fuzzy Hash: e2d6b0a36b63a40cdf8e88598732d5892e08b386adbaa9c7aada03f4ccc89413
                                                • Instruction Fuzzy Hash: 1C21D8B4E01209DFDB44EFA9D545AADBBB1FF88300F108569E41AE7354DB346951CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028805D3, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252729264.0000000002880000.00000040.00000040.sdmp, Offset: 02880000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 263eb43525dda295ee97595a9ab7dfc29d8e090f76cc251aa8da796741df963f
                                                • Instruction ID: c734948f58f30a8a0aa8e869e2544d1d965dd9763ee5fbb9738d47d840b09599
                                                • Opcode Fuzzy Hash: 263eb43525dda295ee97595a9ab7dfc29d8e090f76cc251aa8da796741df963f
                                                • Instruction Fuzzy Hash: 9B0186B65097845FD712CF06EC40862FFA8EB86620709C4AFED499B612D225A909CB72
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02874B38, Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57dd74c210d234f197930cba9cd1f6e946440362c78f16917596ebdcf25844e5
                                                • Instruction ID: 50136e2bb11a80a3fe993a916cadd2e579a1714844fe2a5d53c86befa4ddea70
                                                • Opcode Fuzzy Hash: 57dd74c210d234f197930cba9cd1f6e946440362c78f16917596ebdcf25844e5
                                                • Instruction Fuzzy Hash: B501E874D0011EDBCB04EFA8D555AADFBB1FF88300F1082A9A815A7355DB706E51CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870D39, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7e9d0cab1de47b1e62ebd066c46f679f8ee1637b80ba92f23ae81bce41ae6b1a
                                                • Instruction ID: 3004390ef9c4a3f9bc29f8be5d00c119b920177fc4157972bf19ff4cc37fb58f
                                                • Opcode Fuzzy Hash: 7e9d0cab1de47b1e62ebd066c46f679f8ee1637b80ba92f23ae81bce41ae6b1a
                                                • Instruction Fuzzy Hash: 77F04F788093449FCB02DFA4D44459DBFB1EB4A340B1481EAD846D7326D2355D18CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02880818, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252729264.0000000002880000.00000040.00000040.sdmp, Offset: 02880000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                                • Instruction ID: cde8b0d8d743484e96ca45175190f23158891a57dda413a0f199fd47e37df404
                                                • Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                                • Instruction Fuzzy Hash: 85F01D39204645DFC706DF40D940B15FBA6EB89718F24C6ADE9490B752C337D813DE81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287AFC0, Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9aca7a445413b4e07b4790aec39f5ea0716f856b4247b90f372296e582b65bd1
                                                • Instruction ID: a9ffa295fc8705eaf9867bcd5a057455490762820644daf4362bca4b287baa50
                                                • Opcode Fuzzy Hash: 9aca7a445413b4e07b4790aec39f5ea0716f856b4247b90f372296e582b65bd1
                                                • Instruction Fuzzy Hash: 09F08C7180E3848FCB069F609818AB8BF30EB43205F1452DAD805DB2A2D7714954CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028805F6, Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252729264.0000000002880000.00000040.00000040.sdmp, Offset: 02880000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53eb8b8e4597416ed166dfd010ed737c099a71d207173e6a1bd905776ce79603
                                                • Instruction ID: 39ebb505560982a88c9dcb99bb2aa2f3daf7ceb199306ec62db8b029cdb5e1b6
                                                • Opcode Fuzzy Hash: 53eb8b8e4597416ed166dfd010ed737c099a71d207173e6a1bd905776ce79603
                                                • Instruction Fuzzy Hash: 10E092B66006004BD650CF0AEC81462FBD8EB84730718C47FDC0D8B701D235B505CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02871A98, Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2fc4bb31c30901699ccb9eafbdcbcb3837bc1a2b503e23f955e78af5881420c
                                                • Instruction ID: c3da346207152807d1bdbdccbe52816c2601d920552d36c64ac0f2d4597c832f
                                                • Opcode Fuzzy Hash: d2fc4bb31c30901699ccb9eafbdcbcb3837bc1a2b503e23f955e78af5881420c
                                                • Instruction Fuzzy Hash: 63E09A3490A3899FC703DB78A8087A8BFB89B42200F1441D6C488EB752DA355DA8C7A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028700B9, Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba3a2d6c627a07eb8dd45e388e3e38c82605bd058a2ed10f7375a2771f9e95f1
                                                • Instruction ID: 8dca80f4fcfbf65a781330a69472d20cda187b336ca073bd9aacc886c6ce143b
                                                • Opcode Fuzzy Hash: ba3a2d6c627a07eb8dd45e388e3e38c82605bd058a2ed10f7375a2771f9e95f1
                                                • Instruction Fuzzy Hash: 24E0ED3080920CDFC309DBA5C951AAEBBB0DF87300F1090EAE408B7221DA302B04DB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287C3AB, Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 26078531201e908aae3b8cab104a0dc6d9ee1acefd0cd513e7766188fc4e98b1
                                                • Instruction ID: f488b40f83422b690ee3a05dafa26f956684898c5b4314297ffe2873c8d93528
                                                • Opcode Fuzzy Hash: 26078531201e908aae3b8cab104a0dc6d9ee1acefd0cd513e7766188fc4e98b1
                                                • Instruction Fuzzy Hash: 42F0B274E4112A8BDB64DB28D850BEDBBB1AF84308F1094FAC019B7240EA355E82CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870070, Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fb7a2a86704aa9cc185456f29b603e8073a11c5a0c9a32bc5183ee4ceab8729
                                                • Instruction ID: 670c47b0f620f54d2fd85462abce2189920ba42c029e54b89bbd30f994b4f1d6
                                                • Opcode Fuzzy Hash: 4fb7a2a86704aa9cc185456f29b603e8073a11c5a0c9a32bc5183ee4ceab8729
                                                • Instruction Fuzzy Hash: 2EE08C7094320CABC708FBB8E91793EB3B8DB82710F11686CB506A3281CE756E14D775
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02872031, Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09a4f4dced545828a44c5e6910e98cd920fbdc4ca7c5b206f8afe9b434b585c3
                                                • Instruction ID: dbe93878cf76a6031ee809f812e8f262bb91a6eb41ed83e0e021e315f8a5170d
                                                • Opcode Fuzzy Hash: 09a4f4dced545828a44c5e6910e98cd920fbdc4ca7c5b206f8afe9b434b585c3
                                                • Instruction Fuzzy Hash: 78F08C38905248CFC721DF74C84868CBFB0FF89300F24425DE45A97626C7304A05DF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287AFD0, Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08c53cb754549fc12d39f4944246786dfbb129d7d80f2b59128c3114b252a0bd
                                                • Instruction ID: 5a2ea53a149b3a9fb4405f6ce3d4a5f7a26dc3e60835886bbf7094a47147f990
                                                • Opcode Fuzzy Hash: 08c53cb754549fc12d39f4944246786dfbb129d7d80f2b59128c3114b252a0bd
                                                • Instruction Fuzzy Hash: A5E04F74D06308DBC704EFA0E859B7DFB74FB41305F105158E809A33A1D7B15940CEA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028700C8, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3183adfed4ccb6e28c6aae7bb094e5c7836331c5d5c32faf0145744f8598eeb8
                                                • Instruction ID: a9de9a063e177a47042ef3f851dbd41c634e4fd9f85801ed388972fb9d4dbb05
                                                • Opcode Fuzzy Hash: 3183adfed4ccb6e28c6aae7bb094e5c7836331c5d5c32faf0145744f8598eeb8
                                                • Instruction Fuzzy Hash: F7E0EC70D0520CEBC708DFA9DA46ABDF7B5DF46300F5191A9A408B3360DA716E14DA65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870BB9, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95529d8aeba38006020838e65721d581ebe93f4f9643cdc00ff0c1f2cdd97441
                                                • Instruction ID: 71f7713c9f98176ab57878f1b8377765ddc090da54e7a8694fa84cc520168962
                                                • Opcode Fuzzy Hash: 95529d8aeba38006020838e65721d581ebe93f4f9643cdc00ff0c1f2cdd97441
                                                • Instruction Fuzzy Hash: 46E08630849308ABC705AF649905B6EBF749B42304F6040ADD48463352D6705558C7A9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287B46B, Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1cd7960094d5f41a3c507dfdaeb733b0b4ab93b1f4107a16bddc09713e5d4d74
                                                • Instruction ID: aefca3a10d0cdd0fc501c08a12e6d6076560ff772b89d5e65e871bf278596fca
                                                • Opcode Fuzzy Hash: 1cd7960094d5f41a3c507dfdaeb733b0b4ab93b1f4107a16bddc09713e5d4d74
                                                • Instruction Fuzzy Hash: 11E08C78C0A349CFCB519FA8D8485ECBFF0BF0A310B280159D0AAAB2A1C3344541CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02870BC8, Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 608a611925cf760644ebe6261c04673559dcd7e3501569647e60e6529fa3b275
                                                • Instruction ID: f48be716440c6221ed998748942eddd5a829b6b60bf12a0c9ceae4c04922a663
                                                • Opcode Fuzzy Hash: 608a611925cf760644ebe6261c04673559dcd7e3501569647e60e6529fa3b275
                                                • Instruction Fuzzy Hash: 29D0C774C4520C97C704AFA4D90557DBB74EB41305F5051ADE40473351DA715A59C6B9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DE23F4, Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252454576.0000000000DE2000.00000040.00000001.sdmp, Offset: 00DE2000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e44b8fdb80a759e03a163a68eb5a844b8760a637dc1823d4771e25e2851af0d
                                                • Instruction ID: ab04c17aa69e6b9164b4666b952229c9a7afdb4eb942c11d2d45c2550da1cb2e
                                                • Opcode Fuzzy Hash: 1e44b8fdb80a759e03a163a68eb5a844b8760a637dc1823d4771e25e2851af0d
                                                • Instruction Fuzzy Hash: D2D05E79205AC14FD3269B1CC1A9BA53BD8EF61B04F4A44F9E8008B6A3C368D981D210
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DE23BC, Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252454576.0000000000DE2000.00000040.00000001.sdmp, Offset: 00DE2000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 50f7d0879db64ed24d6a0025c32726d65de4adb1b2221101fd621106f483f7dc
                                                • Instruction ID: ebce2a280bf6429cdf84bcc753c27084daba703c2ac330f354af3bd07a99578d
                                                • Opcode Fuzzy Hash: 50f7d0879db64ed24d6a0025c32726d65de4adb1b2221101fd621106f483f7dc
                                                • Instruction Fuzzy Hash: 4FD05E342012814BC715EB1DC194F6937D8AB41B00F1A44ECAC008B662C3A9EC81CA10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287C64D, Relevance: .0, Instructions: 8COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d7d837a0f8bc4dba50dcdc1ec1865b31622dd0b68c97e1f78bd09d987729e19
                                                • Instruction ID: cf01e4ed17f279d659f00d26b5dc8f12af920f32f97dca8273e66d41f791c42d
                                                • Opcode Fuzzy Hash: 7d7d837a0f8bc4dba50dcdc1ec1865b31622dd0b68c97e1f78bd09d987729e19
                                                • Instruction Fuzzy Hash: 56C04CB905E508DACA109F1484595B875B8AB4661571193A9982BAA0E7CA228941DA04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 02878FA0, Relevance: 6.4, Strings: 5, Instructions: 147COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: $g%r$X1(r$X1(r$`5(r$X
                                                • API String ID: 0-471056832
                                                • Opcode ID: ebab73b925d3682d1cfea5278696af12afcbd1ceda256f4229eec48b23714b2a
                                                • Instruction ID: 58cb8d8362f2f38ac60547612f48bb67ba737efef8677e00ef8ce5414a84d06c
                                                • Opcode Fuzzy Hash: ebab73b925d3682d1cfea5278696af12afcbd1ceda256f4229eec48b23714b2a
                                                • Instruction Fuzzy Hash: 4A517B38A006059FCB14EB69C855BAEBBF2BF89310F1081A9E516DB3E5CB35EC40CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02878FC0, Relevance: 6.4, Strings: 5, Instructions: 135COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.252709454.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: $g%r$X1(r$X1(r$`5(r$X
                                                • API String ID: 0-471056832
                                                • Opcode ID: 4b572a209bf043deec769df8523fadfbb3bf0678ee171875418d84aae0551c35
                                                • Instruction ID: d32b2b1c44c26366d17a4e8a535bac51add3c8aa8d1ed2c15229922a985199e3
                                                • Opcode Fuzzy Hash: 4b572a209bf043deec769df8523fadfbb3bf0678ee171875418d84aae0551c35
                                                • Instruction Fuzzy Hash: E2515D38A006059FCB14EB69C855BAEBBF2BF89314F204169E515DB3E4CB35DC41CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%