Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PROOF OF PAYMENT.exe

Overview

General Information

Sample Name:PROOF OF PAYMENT.exe
Analysis ID:342778
MD5:dcf168394ef0a6d6774b099dd8493b75
SHA1:565c77fa9f7f22229ff5aabad52f6f9e0c5fbce0
SHA256:373e294fccf1cbc447469aeb6fc86678efbfd072b5035a295d1fc74ce6e9fd79
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PROOF OF PAYMENT.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\PROOF OF PAYMENT.exe' MD5: DCF168394EF0A6D6774B099DD8493B75)
    • schtasks.exe (PID: 6012 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5820 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DCF168394EF0A6D6774B099DD8493B75)
    • schtasks.exe (PID: 2208 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmp5106.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6780 cmdline: {path} MD5: DCF168394EF0A6D6774B099DD8493B75)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.131"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.PROOF OF PAYMENT.exe.5f70000.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      7.2.PROOF OF PAYMENT.exe.5f70000.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      7.2.PROOF OF PAYMENT.exe.5f70000.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        7.2.PROOF OF PAYMENT.exe.5ee0000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        7.2.PROOF OF PAYMENT.exe.5ee0000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        Click to see the 11 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PROOF OF PAYMENT.exe, ProcessId: 6816, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PROOF OF PAYMENT.exe' , ParentImage: C:\Users\user\Desktop\PROOF OF PAYMENT.exe, ParentProcessId: 7064, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp', ProcessId: 6012

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: PROOF OF PAYMENT.exe.6816.7.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.131"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORY
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\pJrVfPIhXgkUp.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: PROOF OF PAYMENT.exeJoe Sandbox ML: detected
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpackAvira: Label: TR/NanoCore.fadte
        Source: 17.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: PROOF OF PAYMENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: PROOF OF PAYMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: ?\C:\Windows\dll\mscorlib.pdb source: PROOF OF PAYMENT.exe, 00000007.00000002.1027251638.0000000001081000.00000004.00000020.sdmp
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h1_2_00E71698
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]1_2_0508C55C
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]1_2_0508DF28
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h12_2_031D1698
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h12_2_031D15A9

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 185.140.53.131
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: amechi.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.4:49750 -> 185.140.53.131:3190
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownDNS traffic detected: queries for: amechi.duckdns.org
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.698087475.0000000002BA6000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.755447551.0000000003486000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html:
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667062493.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com(
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comD
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comR
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comf
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667062493.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comt
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comueX
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comz
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers(
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.668834638.000000000B3C9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.670641038.000000000B3C3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.670715362.000000000B3C3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlormal
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669981678.000000000B39D000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.670107984.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html.
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.668897969.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.668897969.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersj
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFf
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.670674990.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic_
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.670107984.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd_
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.696672589.000000000B390000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcommm
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd_
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdiaF
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionF
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commm
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.668748768.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669066568.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671106569.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como.
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.696672589.000000000B390000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como5
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtuedm
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comued
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.672895387.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.672733617.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/.
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.674156675.000000000B3C3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmY
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000003.667385656.000000000B39C000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667263984.000000000B39C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//Mo_
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666912527.000000000B395000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667263984.000000000B39C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/anie
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666912527.000000000B395000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667077696.000000000B399000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/on
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667077696.000000000B399000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.665018666.00000000010DC000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
        Source: dhcpmon.exe, 0000000C.00000002.754370160.0000000001598000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORY
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.1031725645.0000000005EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.PROOF OF PAYMENT.exe.5ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: PROOF OF PAYMENT.exe
        PE file contains section with special charsShow sources
        Source: PROOF OF PAYMENT.exeStatic PE information: section name: \D|.aH
        Source: pJrVfPIhXgkUp.exe.1.drStatic PE information: section name: \D|.aH
        Source: dhcpmon.exe.7.drStatic PE information: section name: \D|.aH
        PE file has nameless sectionsShow sources
        Source: PROOF OF PAYMENT.exeStatic PE information: section name:
        Source: pJrVfPIhXgkUp.exe.1.drStatic PE information: section name:
        Source: dhcpmon.exe.7.drStatic PE information: section name:
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E704F91_2_00E704F9
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E718BF1_2_00E718BF
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E744981_2_00E74498
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E724501_2_00E72450
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E76C5F1_2_00E76C5F
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E735F81_2_00E735F8
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E7C2601_2_00E7C260
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E72BF81_2_00E72BF8
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E7A8801_2_00E7A880
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E7448F1_2_00E7448F
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E7784F1_2_00E7784F
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E768001_2_00E76800
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E768101_2_00E76810
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E765E71_2_00E765E7
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E765F01_2_00E765F0
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E7B5B01_2_00E7B5B0
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E76AA01_2_00E76AA0
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E76A971_2_00E76A97
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E762701_2_00E76270
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E753601_2_00E75360
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E75F601_2_00E75F60
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_0508942C1_2_0508942C
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_0508B4401_2_0508B440
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_0508B4501_2_0508B450
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 7_2_00A21DC87_2_00A21DC8
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 7_2_02CDE4807_2_02CDE480
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 7_2_02CDE4717_2_02CDE471
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 7_2_02CDBBD47_2_02CDBBD4
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 7_2_063600407_2_06360040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D2BF812_2_031D2BF8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D35F812_2_031D35F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D6C5912_2_031D6C59
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D245012_2_031D2450
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D449812_2_031D4498
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D18B812_2_031D18B8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D04FA12_2_031D04FA
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D535112_2_031D5351
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D5F5112_2_031D5F51
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D536012_2_031D5360
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D5F6012_2_031D5F60
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D779A12_2_031D779A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D43B112_2_031D43B1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D23B212_2_031D23B2
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D627012_2_031D6270
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D6A9012_2_031D6A90
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D6AA012_2_031D6AA0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D5ED012_2_031D5ED0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031DB5B012_2_031DB5B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D65F012_2_031D65F0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D65E012_2_031D65E0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D681012_2_031D6810
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D680012_2_031D6800
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031DA88012_2_031DA880
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_05BBD59812_2_05BBD598
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_05BBF2D812_2_05BBF2D8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_05BBDE0012_2_05BBDE00
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00B71DC817_2_00B71DC8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02D5E48017_2_02D5E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02D5E47117_2_02D5E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02D5BBD417_2_02D5BBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0541F5F817_2_0541F5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0541978817_2_05419788
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0541A61017_2_0541A610
        Source: PROOF OF PAYMENT.exeBinary or memory string: OriginalFilename vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.705882982.00000000059F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.705882982.00000000059F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.697879693.0000000002AE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.705705198.00000000058F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.697967874.0000000002B2B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.696982311.0000000000741000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameW4.exe4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exeBinary or memory string: OriginalFilename vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1027198906.0000000001058000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1031587707.0000000005E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000003.700302329.00000000010E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameW4.exe4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1033040120.0000000006D30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exeBinary or memory string: OriginalFilenameW4.exe4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.1031725645.0000000005EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.1031725645.0000000005EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.PROOF OF PAYMENT.exe.5ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.PROOF OF PAYMENT.exe.5ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: PROOF OF PAYMENT.exeStatic PE information: Section: \D|.aH ZLIB complexity 1.00031458436
        Source: pJrVfPIhXgkUp.exe.1.drStatic PE information: Section: \D|.aH ZLIB complexity 1.00031458436
        Source: dhcpmon.exe.7.drStatic PE information: Section: \D|.aH ZLIB complexity 1.00031458436
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@12/8@27/2
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile created: C:\Users\user\AppData\Roaming\pJrVfPIhXgkUp.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\PnmXhPVzgJDQDpLkGDRIrZrAwD
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c3f2ffac-72ce-4a70-9d04-4f6a62cc4c81}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_01
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE52C.tmpJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile read: C:\Users\user\Desktop\PROOF OF PAYMENT.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.exe 'C:\Users\user\Desktop\PROOF OF PAYMENT.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.exe {path}
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmp5106.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.exe {path}Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmp5106.tmp'Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: PROOF OF PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: PROOF OF PAYMENT.exeStatic file information: File size 1168384 > 1048576
        Source: PROOF OF PAYMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: ?\C:\Windows\dll\mscorlib.pdb source: PROOF OF PAYMENT.exe, 00000007.00000002.1027251638.0000000001081000.00000004.00000020.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeUnpacked PE file: 1.2.PROOF OF PAYMENT.exe.640000.0.unpack \D|.aH:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 12.2.dhcpmon.exe.e60000.0.unpack \D|.aH:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
        .NET source code contains potential unpackerShow sources
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Binary contains a suspicious time stampShow sources
        Source: initial sampleStatic PE information: 0x83ABA3EF [Sun Jan 1 20:51:59 2040 UTC]
        Source: PROOF OF PAYMENT.exeStatic PE information: section name: \D|.aH
        Source: PROOF OF PAYMENT.exeStatic PE information: section name:
        Source: pJrVfPIhXgkUp.exe.1.drStatic PE information: section name: \D|.aH
        Source: pJrVfPIhXgkUp.exe.1.drStatic PE information: section name:
        Source: dhcpmon.exe.7.drStatic PE information: section name: \D|.aH
        Source: dhcpmon.exe.7.drStatic PE information: section name:
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00721604 push cs; iretd 1_2_007215F6
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_007215D8 push cs; iretd 1_2_007215F6
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00722989 push ebp; retf 1_2_0072298A
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E73A43 push esi; retf 1_2_00E73A45
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E71F2A push ebp; retf 1_2_00E71F2E
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00F415D8 push cs; iretd 12_2_00F415F6
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00F42989 push ebp; retf 12_2_00F4298A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00F41604 push cs; iretd 12_2_00F415F6
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D1F2A push ebp; retf 12_2_031D1F2E
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D3A43 push esi; retf 12_2_031D3A45
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_05BB34A6 push edx; iretd 12_2_05BB34A7
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0541B5E0 push eax; retf 17_2_0541B5ED
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_054169F8 pushad ; retf 17_2_054169F9
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_054169FB push esp; retf 17_2_05416A01
        Source: initial sampleStatic PE information: section name: \D|.aH entropy: 7.99982924254
        Source: initial sampleStatic PE information: section name: \D|.aH entropy: 7.99982924254
        Source: initial sampleStatic PE information: section name: \D|.aH entropy: 7.99982924254
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile created: C:\Users\user\AppData\Roaming\pJrVfPIhXgkUp.exeJump to dropped file
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile opened: C:\Users\user\Desktop\PROOF OF PAYMENT.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000001.00000002.697967874.0000000002B2B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.exe PID: 7064, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.697967874.0000000002B2B000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.697967874.0000000002B2B000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeWindow / User API: threadDelayed 3488Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeWindow / User API: threadDelayed 5648Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeWindow / User API: foregroundWindowGot 1157Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeWindow / User API: foregroundWindowGot 410Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exe TID: 7068Thread sleep time: -31500s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exe TID: 7140Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exe TID: 6616Thread sleep time: -7378697629483816s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6044Thread sleep time: -31500s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6652Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7092Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1033040120.0000000006D30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1033040120.0000000006D30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1033040120.0000000006D30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1027324927.00000000010E0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1033040120.0000000006D30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging:

        barindex
        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E71698 CheckRemoteDebuggerPresent,1_2_00E71698
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess queried: DebugPortJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.exe {path}Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmp5106.tmp'Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1029260124.000000000328A000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1027657692.0000000001790000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1027657692.0000000001790000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1031493566.0000000005E5B000.00000004.00000001.sdmpBinary or memory string: Program ManagerP
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1027657692.0000000001790000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1032071709.00000000060FC000.00000004.00000001.sdmpBinary or memory string: Program ManagerPB
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1028629577.0000000002E90000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa8k
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Users\user\Desktop\PROOF OF PAYMENT.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Users\user\Desktop\PROOF OF PAYMENT.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORY
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORY
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection12Masquerading2Input Capture21Security Software Discovery221Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion4LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 342778 Sample: PROOF OF PAYMENT.exe Startdate: 21/01/2021 Architecture: WINDOWS Score: 100 40 amechi.duckdns.org 2->40 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 17 other signatures 2->52 8 PROOF OF PAYMENT.exe 6 2->8         started        11 dhcpmon.exe 5 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\pJrVfPIhXgkUp.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmpE52C.tmp, XML 8->30 dropped 32 C:\Users\user\...\PROOF OF PAYMENT.exe.log, ASCII 8->32 dropped 13 PROOF OF PAYMENT.exe 1 9 8->13         started        18 schtasks.exe 1 8->18         started        20 schtasks.exe 1 11->20         started        22 dhcpmon.exe 2 11->22         started        process6 dnsIp7 42 amechi.duckdns.org 185.140.53.131, 3190, 49750, 49753 DAVID_CRAIGGG Sweden 13->42 44 192.168.2.1 unknown unknown 13->44 34 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->34 dropped 36 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 13->36 dropped 38 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->38 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->54 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        file8 signatures9 process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PROOF OF PAYMENT.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\pJrVfPIhXgkUp.exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        12.2.dhcpmon.exe.e60000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack100%AviraTR/NanoCore.fadteDownload File
        1.2.PROOF OF PAYMENT.exe.640000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        17.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.2.PROOF OF PAYMENT.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        amechi.duckdns.org4%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.fontbureau.comionF0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.carterandcone.comueX0%Avira URL Cloudsafe
        http://www.carterandcone.comva0%Avira URL Cloudsafe
        http://www.fontbureau.comdiaF0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.fontbureau.comtuedm0%Avira URL Cloudsafe
        http://www.fontbureau.comessed0%URL Reputationsafe
        http://www.fontbureau.comessed0%URL Reputationsafe
        http://www.fontbureau.comessed0%URL Reputationsafe
        http://www.fontbureau.comued0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com(0%Avira URL Cloudsafe
        http://www.fontbureau.comcomd_0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/roso0%Avira URL Cloudsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htmY0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/50%Avira URL Cloudsafe
        http://www.carterandcone.comD0%Avira URL Cloudsafe
        http://www.ascendercorp.com/typedesigners.html:0%Avira URL Cloudsafe
        http://www.founder.com.cn/cnl0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
        http://www.carterandcone.comR0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.fontbureau.como.0%Avira URL Cloudsafe
        http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
        http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
        http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
        http://www.fontbureau.commm0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.founder.com.cn/cnf0%Avira URL Cloudsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.fontbureau.como50%Avira URL Cloudsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.fontbureau.comnc.0%Avira URL Cloudsafe
        http://www.carterandcone.comf0%Avira URL Cloudsafe
        http://www.carterandcone.come0%URL Reputationsafe
        http://www.carterandcone.come0%URL Reputationsafe
        http://www.carterandcone.come0%URL Reputationsafe
        http://www.fontbureau.comcomd0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
        http://www.founder.com.cn/cnz0%Avira URL Cloudsafe
        http://www.carterandcone.comt0%URL Reputationsafe
        http://www.carterandcone.comt0%URL Reputationsafe
        http://www.carterandcone.comt0%URL Reputationsafe
        http://www.fontbureau.comd_0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/on0%Avira URL Cloudsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp//Mo_0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/Sue0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        amechi.duckdns.org
        		185.140.53.131
        		truetrueunknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.comionFPROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.fontbureau.com/designersGPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bThePROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.carterandcone.comueXPROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers?PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
              		high
              http://www.carterandcone.comvaPROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers/frere-user.html.PROOF OF PAYMENT.exe, 00000001.00000003.670107984.000000000B39D000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.comdiaFPROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.tiro.comdhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersdhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comtuedmPROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.comessedPROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersZPROOF OF PAYMENT.exe, 00000001.00000003.668897969.000000000B3A5000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comuedPROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.goodfont.co.krPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comPROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.com(PROOF OF PAYMENT.exe, 00000001.00000003.667062493.000000000B3A5000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.comcomd_PROOF OF PAYMENT.exe, 00000001.00000003.670107984.000000000B39D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.sajatypeworks.comPROOF OF PAYMENT.exe, 00000001.00000003.665018666.00000000010DC000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/rosoPROOF OF PAYMENT.exe, 00000001.00000003.667077696.000000000B399000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.typography.netDPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cThePROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmYPROOF OF PAYMENT.exe, 00000001.00000003.674156675.000000000B3C3000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/5PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comDPROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.ascendercorp.com/typedesigners.html:PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designersjPROOF OF PAYMENT.exe, 00000001.00000003.668897969.000000000B3A5000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cnlPROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/0PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlormalPROOF OF PAYMENT.exe, 00000001.00000003.670715362.000000000B3C3000.00000004.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comRPROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleasePROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.como.PROOF OF PAYMENT.exe, 00000001.00000003.671106569.000000000B39D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ascendercorp.com/typedesigners.htmlPROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.commmPROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                          		high
                          http://www.sandoll.co.krPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleasePROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnPROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePROOF OF PAYMENT.exe, 00000001.00000002.698087475.0000000002BA6000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.755447551.0000000003486000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnfPROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sakkal.comPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.como5PROOF OF PAYMENT.exe, 00000001.00000003.696672589.000000000B390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comPROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/PROOF OF PAYMENT.exe, 00000001.00000003.672895387.000000000B39D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comnc.PROOF OF PAYMENT.exe, 00000001.00000003.668748768.000000000B39D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comfPROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comePROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comcomdPROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/PPROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnzPROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comtPROOF OF PAYMENT.exe, 00000001.00000003.667062493.000000000B3A5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comd_PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.jiyu-kobo.co.jp/jp/PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/onPROOF OF PAYMENT.exe, 00000001.00000003.667077696.000000000B399000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comdPROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp//Mo_PROOF OF PAYMENT.exe, 00000001.00000003.667263984.000000000B39C000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/SuePROOF OF PAYMENT.exe, 00000001.00000003.666912527.000000000B395000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comlPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers(PROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/cabarga.htmlNPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cnPROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/.PROOF OF PAYMENT.exe, 00000001.00000003.672733617.000000000B39D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlPROOF OF PAYMENT.exe, 00000001.00000003.669981678.000000000B39D000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/tPROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comzPROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlPROOF OF PAYMENT.exe, 00000001.00000003.670641038.000000000B3C3000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/aniePROOF OF PAYMENT.exe, 00000001.00000003.667263984.000000000B39C000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000003.667385656.000000000B39C000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comoPROOF OF PAYMENT.exe, 00000001.00000003.669066568.000000000B39D000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cno.PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comFfPROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comalsPROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/ePROOF OF PAYMENT.exe, 00000001.00000003.666912527.000000000B395000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/fPROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comcommmPROOF OF PAYMENT.exe, 00000001.00000003.696672589.000000000B390000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comalic_PROOF OF PAYMENT.exe, 00000001.00000003.670674990.000000000B39D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.fontbureau.com/designers/PROOF OF PAYMENT.exe, 00000001.00000003.668834638.000000000B3C9000.00000004.00000001.sdmpfalse
                                            		high

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            185.140.53.131
                                            		unknownSweden
                                            		209623DAVID_CRAIGGGtrue

                                            Private

                                            IP
                                            192.168.2.1

                                            General Information

                                            Joe Sandbox Version:31.0.0 Red Diamond
                                            Analysis ID:342778
                                            Start date:21.01.2021
                                            Start time:18:19:11
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 11m 58s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:PROOF OF PAYMENT.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:26
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@12/8@27/2
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 1.9% (good quality ratio 0.7%)
                                            • Quality average: 22.7%
                                            • Quality standard deviation: 33.2%
                                            HCA Information:
                                            • Successful, ratio: 95%
                                            • Number of executed functions: 95
                                            • Number of non-executed functions: 17
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 104.43.193.48, 23.211.6.115, 40.88.32.150, 51.11.168.160, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129
                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            18:20:12API Interceptor1323x Sleep call for process: PROOF OF PAYMENT.exe modified
                                            18:20:26AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            18:20:42API Interceptor1x Sleep call for process: dhcpmon.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            185.140.53.131PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                              Urgent order 1812021-672 Q30721,pdf.exeGet hashmaliciousBrowse
                                                PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                  R#U00d6SLER Puchase_tcs 10-28-2020,pdf.exeGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    amechi.duckdns.orgPROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 185.140.53.131
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 185.140.53.131
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.82
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.69
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.69
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.69
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.69
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.69
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.73

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    DAVID_CRAIGGGSecuriteInfo.com.Artemis1A5E2411DEA6.exeGet hashmaliciousBrowse
                                                    • 91.193.75.204
                                                    Payment Invoice PDF.exeGet hashmaliciousBrowse
                                                    • 185.244.30.18
                                                    New Doc 20211401#_our new price.exeGet hashmaliciousBrowse
                                                    • 91.193.75.243
                                                    company profile.exeGet hashmaliciousBrowse
                                                    • 185.140.53.227
                                                    NEWORDERrefno0992883jpg.exeGet hashmaliciousBrowse
                                                    • 185.140.53.253
                                                    richiealvin.exeGet hashmaliciousBrowse
                                                    • 91.193.75.185
                                                    Quotation.exeGet hashmaliciousBrowse
                                                    • 185.140.53.154
                                                    DHL Delivery Shipping Cargo. Pdf.exeGet hashmaliciousBrowse
                                                    • 185.244.30.18
                                                    CompanyLicense.exeGet hashmaliciousBrowse
                                                    • 185.140.53.253
                                                    Purchase Order 2094742424.exeGet hashmaliciousBrowse
                                                    • 185.244.30.132
                                                    PURCHASE OREDER. PRINT. pdf.exeGet hashmaliciousBrowse
                                                    • 91.193.75.45
                                                    PO.exeGet hashmaliciousBrowse
                                                    • 185.140.53.234
                                                    SWIFT.exeGet hashmaliciousBrowse
                                                    • 185.140.53.154
                                                    SecuriteInfo.com.BScope.Trojan-Dropper.Injector.exeGet hashmaliciousBrowse
                                                    • 185.140.53.234
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 185.140.53.131
                                                    Orden n.#U00ba STL21119, pdf.exeGet hashmaliciousBrowse
                                                    • 185.140.53.129
                                                    Proof of Payment.exeGet hashmaliciousBrowse
                                                    • 185.244.30.51
                                                    DxCHoDnNLn.exeGet hashmaliciousBrowse
                                                    • 185.140.53.202
                                                    T7gzTHDZ7g.rtfGet hashmaliciousBrowse
                                                    • 185.140.53.202
                                                    PO - 2021-000511.exeGet hashmaliciousBrowse
                                                    • 185.244.30.69

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1168384
                                                    Entropy (8bit):7.897636731334413
                                                    Encrypted:false
                                                    SSDEEP:24576:E2cXDkZfhBL97dNqehj/5L3xqpljbfrRUoq7Ohn:E2MiBBRNb5LBepfrhqyN
                                                    MD5:DCF168394EF0A6D6774B099DD8493B75
                                                    SHA1:565C77FA9F7F22229FF5AABAD52F6F9E0C5FBCE0
                                                    SHA-256:373E294FCCF1CBC447469AEB6FC86678EFBFD072B5035A295D1FC74CE6E9FD79
                                                    SHA-512:6F19BD8C1CE255848FC9E60B92B758AC960C81E3CB4C3C7BC5E520DE5B03CFC0A2244891150B50ECC179FC35A9D7F9477E567BDD275B32B4873FE640DAFE7AC9
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    Reputation:low
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................0..............@....... ....@.. .......................`............@.....................................O............................ .......................................................@..................H............\.D|.aH..... ......................@....text............................... ..`.rsrc...............................@..@.reloc....... ......................@..B.............@...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROOF OF PAYMENT.exe.log
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                    MD5:B666A4404B132B2BF6C04FBF848EB948
                                                    SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                    SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                    SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                    MD5:B666A4404B132B2BF6C04FBF848EB948
                                                    SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                    SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                    SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Temp\tmp5106.tmp
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1646
                                                    Entropy (8bit):5.189454496599504
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGwTtn:cbhK79lNQR/rydbz9I3YODOLNdq3Z
                                                    MD5:C6FAB75DB50999549C6154EF264BE80C
                                                    SHA1:EB84E6A1F6F4CDA87BC0BFA0C33FB853876123E5
                                                    SHA-256:BE05BA07F3B94AE7D7C76A5FEF997D900D5DFA9A9E6A190EA2DD5A8736AE5391
                                                    SHA-512:8E1054F87068027847AFDF2F60CB2B6BBE2FB674C31E1A1B8C93DEF4438591709A2E705E4AD7898C236028A3A3D3972BE62FF57AF5965139C9ECF2FD2D43720D
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Local\Temp\tmpE52C.tmp
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1646
                                                    Entropy (8bit):5.189454496599504
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGwTtn:cbhK79lNQR/rydbz9I3YODOLNdq3Z
                                                    MD5:C6FAB75DB50999549C6154EF264BE80C
                                                    SHA1:EB84E6A1F6F4CDA87BC0BFA0C33FB853876123E5
                                                    SHA-256:BE05BA07F3B94AE7D7C76A5FEF997D900D5DFA9A9E6A190EA2DD5A8736AE5391
                                                    SHA-512:8E1054F87068027847AFDF2F60CB2B6BBE2FB674C31E1A1B8C93DEF4438591709A2E705E4AD7898C236028A3A3D3972BE62FF57AF5965139C9ECF2FD2D43720D
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:ISO-8859 text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):8
                                                    Entropy (8bit):3.0
                                                    Encrypted:false
                                                    SSDEEP:3:mVbP:mxP
                                                    MD5:9CC98A9DC31882B52047540E4E0B3CD1
                                                    SHA1:3C4DEE67488C1716C349FD7977DAEFCCEDE7064B
                                                    SHA-256:022A875D410DE3708A424EC637D04CF866BD83D95FE141EB0B20C3072924646A
                                                    SHA-512:CA91BA3B6DD9E4929D4F7C0CEAA0CD248D3833C04CA2E0C32BD5A203183DCBB8EC837D4ED00661979E31D310682FAD1DA675DF05DC742EE7D9E057366EB0CA54
                                                    Malicious:true
                                                    Preview: ..}.0..H
                                                    C:\Users\user\AppData\Roaming\pJrVfPIhXgkUp.exe
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1168384
                                                    Entropy (8bit):7.897636731334413
                                                    Encrypted:false
                                                    SSDEEP:24576:E2cXDkZfhBL97dNqehj/5L3xqpljbfrRUoq7Ohn:E2MiBBRNb5LBepfrhqyN
                                                    MD5:DCF168394EF0A6D6774B099DD8493B75
                                                    SHA1:565C77FA9F7F22229FF5AABAD52F6F9E0C5FBCE0
                                                    SHA-256:373E294FCCF1CBC447469AEB6FC86678EFBFD072B5035A295D1FC74CE6E9FD79
                                                    SHA-512:6F19BD8C1CE255848FC9E60B92B758AC960C81E3CB4C3C7BC5E520DE5B03CFC0A2244891150B50ECC179FC35A9D7F9477E567BDD275B32B4873FE640DAFE7AC9
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................0..............@....... ....@.. .......................`............@.....................................O............................ .......................................................@..................H............\.D|.aH..... ......................@....text............................... ..`.rsrc...............................@..@.reloc....... ......................@..B.............@...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.897636731334413
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                    • Win32 Executable (generic) a (10002005/4) 49.96%
                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:PROOF OF PAYMENT.exe
                                                    File size:1168384
                                                    MD5:dcf168394ef0a6d6774b099dd8493b75
                                                    SHA1:565c77fa9f7f22229ff5aabad52f6f9e0c5fbce0
                                                    SHA256:373e294fccf1cbc447469aeb6fc86678efbfd072b5035a295d1fc74ce6e9fd79
                                                    SHA512:6f19bd8c1ce255848fc9e60b92b758ac960c81e3cb4c3c7bc5e520de5b03cfc0a2244891150b50ecc179fc35a9d7f9477e567bdd275b32b4873fe640dafe7ac9
                                                    SSDEEP:24576:E2cXDkZfhBL97dNqehj/5L3xqpljbfrRUoq7Ohn:E2MiBBRNb5LBepfrhqyN
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..............@....... ....@.. .......................`............@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x52400a
                                                    Entrypoint Section:
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x83ABA3EF [Sun Jan 1 20:51:59 2040 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00524000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1008ac0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1200000x608.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1240000x8
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x1000000x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    \D|.aH0x20000xfcf8c0xfd000False1.00031458436data7.99982924254IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                    .text0x1000000x1f3b80x1f400False0.35140625data4.85294552494IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x1200000x6080x800False0.33154296875data3.4379516301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1220000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    0x1240000x100x200False0.044921875Applesoft BASIC program data, first line number 160.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x1200a00x376data
                                                    RT_MANIFEST0x1204180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightMade Solutions International 2016
                                                    Assembly Version36.5.0.8
                                                    InternalNameW4.exe
                                                    FileVersion36.5.0.8
                                                    CompanyNameMade Solutions International
                                                    LegalTrademarks
                                                    CommentsEasynote
                                                    ProductNameAdmin App
                                                    ProductVersion36.5.0.8
                                                    FileDescriptionAdmin App
                                                    OriginalFilenameW4.exe

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 21, 2021 18:20:26.636646986 CET497503190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:26.686963081 CET319049750185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:27.198801041 CET497503190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:27.247421980 CET319049750185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:27.750178099 CET497503190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:27.801548958 CET319049750185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:32.339077950 CET497533190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:32.387886047 CET319049753185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:32.899369001 CET497533190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:32.948204041 CET319049753185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:33.467303991 CET497533190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:33.516005993 CET319049753185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:38.044141054 CET497553190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:38.093015909 CET319049755185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:38.665368080 CET497553190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:38.714430094 CET319049755185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:39.368534088 CET497553190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:39.417536974 CET319049755185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:43.754842997 CET497563190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:43.803443909 CET319049756185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:44.368943930 CET497563190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:44.417614937 CET319049756185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:45.056510925 CET497563190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:45.105313063 CET319049756185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:49.941091061 CET497593190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:49.989852905 CET319049759185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:50.599390984 CET497593190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:50.647996902 CET319049759185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:51.338809967 CET497593190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:51.387382030 CET319049759185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:55.870851040 CET497683190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:55.919444084 CET319049768185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:56.432501078 CET497683190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:56.481225014 CET319049768185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:56.995039940 CET497683190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:57.043771029 CET319049768185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:01.385477066 CET497713190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:01.434214115 CET319049771185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:01.948607922 CET497713190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:01.998749971 CET319049771185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:02.511146069 CET497713190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:02.560031891 CET319049771185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:06.981112003 CET497773190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:07.030205011 CET319049777185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:07.620959997 CET497773190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:07.669727087 CET319049777185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:08.184009075 CET497773190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:08.232570887 CET319049777185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:14.020345926 CET497783190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:14.069040060 CET319049778185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:14.574636936 CET497783190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:14.623289108 CET319049778185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:15.137156010 CET497783190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:15.185831070 CET319049778185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:19.581602097 CET497793190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:19.632669926 CET319049779185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:20.137590885 CET497793190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:20.186188936 CET319049779185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:20.700217962 CET497793190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:20.748981953 CET319049779185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:25.395379066 CET497803190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:25.444143057 CET319049780185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:25.950561047 CET497803190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:25.999279976 CET319049780185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:26.513206005 CET497803190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:26.561887980 CET319049780185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:30.962618113 CET497813190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:31.011766911 CET319049781185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:31.529175043 CET497813190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:31.579611063 CET319049781185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:32.107358932 CET497813190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:32.156056881 CET319049781185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:36.731923103 CET497833190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:36.780670881 CET319049783185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:37.295358896 CET497833190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:37.344342947 CET319049783185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:37.857836962 CET497833190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:37.906586885 CET319049783185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:42.471095085 CET497853190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:42.519733906 CET319049785185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:43.030142069 CET497853190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:43.078917980 CET319049785185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:43.592746019 CET497853190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:43.641819000 CET319049785185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:48.097086906 CET497863190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:48.145708084 CET319049786185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:48.655638933 CET497863190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:48.704374075 CET319049786185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:49.218244076 CET497863190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:49.267738104 CET319049786185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:53.814023972 CET497873190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:53.862994909 CET319049787185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:54.374924898 CET497873190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:54.423679113 CET319049787185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:54.937490940 CET497873190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:54.986247063 CET319049787185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:59.346096992 CET497883190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:59.394851923 CET319049788185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:59.906557083 CET497883190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:59.955153942 CET319049788185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:00.469192982 CET497883190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:00.518274069 CET319049788185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:07.181174040 CET497893190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:07.229741096 CET319049789185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:07.735322952 CET497893190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:07.783926010 CET319049789185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:08.297833920 CET497893190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:08.346721888 CET319049789185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:13.398025990 CET497903190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:13.446475983 CET319049790185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:13.954571962 CET497903190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:14.003360033 CET319049790185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:14.517119884 CET497903190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:14.565890074 CET319049790185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:19.182126045 CET497913190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:19.231365919 CET319049791185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:19.736394882 CET497913190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:19.784960985 CET319049791185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:20.298866987 CET497913190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:20.347656012 CET319049791185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:25.039468050 CET497923190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:25.088994980 CET319049792185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:25.599419117 CET497923190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:25.651864052 CET319049792185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:26.158704042 CET497923190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:26.209033966 CET319049792185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:30.765079975 CET497933190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:30.813678026 CET319049793185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:31.315395117 CET497933190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:31.364092112 CET319049793185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:31.877938032 CET497933190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:31.927292109 CET319049793185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:36.689884901 CET497943190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:36.738549948 CET319049794185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:37.253405094 CET497943190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:37.302134991 CET319049794185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:37.815967083 CET497943190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:37.864892960 CET319049794185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:42.391415119 CET497953190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:42.440737009 CET319049795185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:42.957055092 CET497953190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:43.005626917 CET319049795185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:43.519603968 CET497953190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:43.568347931 CET319049795185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:48.312330961 CET497963190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:48.361121893 CET319049796185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:48.863768101 CET497963190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:48.912662983 CET319049796185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:49.426301003 CET497963190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:49.475467920 CET319049796185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:54.426690102 CET497973190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:54.475320101 CET319049797185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:54.991076946 CET497973190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:55.039917946 CET319049797185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:55.551798105 CET497973190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:55.600553036 CET319049797185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:22:59.673413038 CET497983190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:22:59.725220919 CET319049798185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:23:00.239706039 CET497983190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:23:00.288515091 CET319049798185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:23:00.802268028 CET497983190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:23:00.850877047 CET319049798185.140.53.131192.168.2.4

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 21, 2021 18:19:55.067909002 CET5802853192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:55.124077082 CET53580288.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:19:55.292099953 CET5309753192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:55.360272884 CET53530978.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:19:56.059154987 CET4925753192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:56.111537933 CET53492578.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:19:57.197954893 CET6238953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:57.248848915 CET53623898.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:19:58.334696054 CET4991053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:58.382865906 CET53499108.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:19:59.385020971 CET5585453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:59.432925940 CET53558548.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:00.752772093 CET6454953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:00.800936937 CET53645498.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:01.719530106 CET6315353192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:01.767502069 CET53631538.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:03.152363062 CET5299153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:03.200278997 CET53529918.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:04.301790953 CET5370053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:04.349843979 CET53537008.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:05.165674925 CET5172653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:05.213634014 CET53517268.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:06.164575100 CET5679453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:06.212635040 CET53567948.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:07.111299038 CET5653453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:07.159250975 CET53565348.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:08.289347887 CET5662753192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:08.340187073 CET53566278.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:09.239306927 CET5662153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:09.290049076 CET53566218.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:10.020481110 CET6311653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:10.068592072 CET53631168.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:11.006031990 CET6407853192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:11.065057039 CET53640788.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:11.964874983 CET6480153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:12.021156073 CET53648018.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:26.377454042 CET6172153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:26.597150087 CET53617218.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:26.736705065 CET5125553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:26.788639069 CET53512558.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:32.287314892 CET6152253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:32.338031054 CET53615228.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:32.374512911 CET5233753192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:32.432138920 CET53523378.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:37.819787979 CET5504653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:38.041517019 CET53550468.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:43.690567970 CET4961253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:43.753215075 CET53496128.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:45.001816034 CET4928553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:45.061233044 CET53492858.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:49.048403025 CET5060153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:49.099143982 CET53506018.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:49.716054916 CET6087553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:49.896989107 CET5644853192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:49.939874887 CET53608758.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:49.953588963 CET53564488.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:50.628110886 CET5917253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:50.689544916 CET53591728.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:51.162794113 CET6242053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:51.219170094 CET53624208.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:51.649856091 CET6057953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:51.713937044 CET53605798.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:51.780478001 CET5018353192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:51.829261065 CET53501838.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:52.846740961 CET6153153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:52.897475004 CET53615318.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:53.946583033 CET4922853192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:53.997590065 CET53492288.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:55.800205946 CET5979453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:55.812844992 CET5591653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:55.848177910 CET53597948.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:55.869412899 CET53559168.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:56.771868944 CET5275253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:56.822704077 CET53527528.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:57.481784105 CET6054253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:57.532876015 CET53605428.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:01.327616930 CET6068953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:01.384275913 CET53606898.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:05.048038960 CET6420653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:05.106128931 CET53642068.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:06.923330069 CET5090453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:06.979444981 CET53509048.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:13.962409019 CET5752553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:14.018889904 CET53575258.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:19.522490978 CET5381453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:19.579447985 CET53538148.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:25.142821074 CET5341853192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:25.363347054 CET53534188.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:30.839421988 CET6283353192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:30.887420893 CET53628338.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:35.675800085 CET5926053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:35.726835966 CET53592608.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:36.682862997 CET4994453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:36.730860949 CET53499448.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:37.322103024 CET6330053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:37.378932953 CET53633008.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:42.412513018 CET6144953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:42.468755960 CET53614498.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:48.038727045 CET5127553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:48.094996929 CET53512758.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:53.752360106 CET6349253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:53.811616898 CET53634928.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:59.287313938 CET5894553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:59.344736099 CET53589458.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:06.958884001 CET6077953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:07.179647923 CET53607798.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:13.336189985 CET6401453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:13.397027969 CET53640148.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:19.120923996 CET5709153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:19.180563927 CET53570918.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:24.973064899 CET5590453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:25.033624887 CET53559048.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:30.705987930 CET5210953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:30.762120962 CET53521098.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:36.456420898 CET5445053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:36.686892986 CET53544508.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:42.330946922 CET4937453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:42.389832020 CET53493748.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:48.195000887 CET5043653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:48.251329899 CET53504368.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:54.368314981 CET6260553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:54.424686909 CET53626058.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:59.616128922 CET5425653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:59.672491074 CET53542568.8.8.8192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Jan 21, 2021 18:20:26.377454042 CET192.168.2.48.8.8.80x25e9Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:32.287314892 CET192.168.2.48.8.8.80xe11eStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:37.819787979 CET192.168.2.48.8.8.80x7842Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:43.690567970 CET192.168.2.48.8.8.80xd26fStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:49.716054916 CET192.168.2.48.8.8.80xe4b8Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:55.812844992 CET192.168.2.48.8.8.80xf037Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:01.327616930 CET192.168.2.48.8.8.80x619fStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:06.923330069 CET192.168.2.48.8.8.80x7af2Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:13.962409019 CET192.168.2.48.8.8.80xa328Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:19.522490978 CET192.168.2.48.8.8.80x75b9Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:25.142821074 CET192.168.2.48.8.8.80xca7eStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:30.839421988 CET192.168.2.48.8.8.80xa158Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:36.682862997 CET192.168.2.48.8.8.80x7cedStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:42.412513018 CET192.168.2.48.8.8.80xdd3aStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:48.038727045 CET192.168.2.48.8.8.80x7241Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:53.752360106 CET192.168.2.48.8.8.80xff5cStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:59.287313938 CET192.168.2.48.8.8.80xf33bStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:06.958884001 CET192.168.2.48.8.8.80x4d84Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:13.336189985 CET192.168.2.48.8.8.80x3e3bStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:19.120923996 CET192.168.2.48.8.8.80xbcb1Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:24.973064899 CET192.168.2.48.8.8.80x3699Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:30.705987930 CET192.168.2.48.8.8.80xf2cfStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:36.456420898 CET192.168.2.48.8.8.80x9a64Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:42.330946922 CET192.168.2.48.8.8.80x4f70Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:48.195000887 CET192.168.2.48.8.8.80xde87Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:54.368314981 CET192.168.2.48.8.8.80xc231Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:59.616128922 CET192.168.2.48.8.8.80x2a6bStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Jan 21, 2021 18:20:26.597150087 CET8.8.8.8192.168.2.40x25e9No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:32.338031054 CET8.8.8.8192.168.2.40xe11eNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:38.041517019 CET8.8.8.8192.168.2.40x7842No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:43.753215075 CET8.8.8.8192.168.2.40xd26fNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:49.939874887 CET8.8.8.8192.168.2.40xe4b8No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:55.869412899 CET8.8.8.8192.168.2.40xf037No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:01.384275913 CET8.8.8.8192.168.2.40x619fNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:06.979444981 CET8.8.8.8192.168.2.40x7af2No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:14.018889904 CET8.8.8.8192.168.2.40xa328No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:19.579447985 CET8.8.8.8192.168.2.40x75b9No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:25.363347054 CET8.8.8.8192.168.2.40xca7eNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:30.887420893 CET8.8.8.8192.168.2.40xa158No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:36.730860949 CET8.8.8.8192.168.2.40x7cedNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:42.468755960 CET8.8.8.8192.168.2.40xdd3aNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:48.094996929 CET8.8.8.8192.168.2.40x7241No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:53.811616898 CET8.8.8.8192.168.2.40xff5cNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:59.344736099 CET8.8.8.8192.168.2.40xf33bNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:07.179647923 CET8.8.8.8192.168.2.40x4d84No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:13.397027969 CET8.8.8.8192.168.2.40x3e3bNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:19.180563927 CET8.8.8.8192.168.2.40xbcb1No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:25.033624887 CET8.8.8.8192.168.2.40x3699No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:30.762120962 CET8.8.8.8192.168.2.40xf2cfNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:36.686892986 CET8.8.8.8192.168.2.40x9a64No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:42.389832020 CET8.8.8.8192.168.2.40x4f70No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:48.251329899 CET8.8.8.8192.168.2.40xde87No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:54.424686909 CET8.8.8.8192.168.2.40xc231No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:59.672491074 CET8.8.8.8192.168.2.40x2a6bNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)

                                                    Code Manipulations

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: PROOF OF PAYMENT.exe PID: 7064 Parent PID: 5900

                                                    General

                                                    Start time:18:19:59
                                                    Start date:21/01/2021
                                                    Path:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\PROOF OF PAYMENT.exe'
                                                    Imagebase:0x640000
                                                    File size:1168384 bytes
                                                    MD5 hash:DCF168394EF0A6D6774B099DD8493B75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.697967874.0000000002B2B000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 6012 Parent PID: 7064

                                                    General

                                                    Start time:18:20:20
                                                    Start date:21/01/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp'
                                                    Imagebase:0x1390000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 5700 Parent PID: 6012

                                                    General

                                                    Start time:18:20:21
                                                    Start date:21/01/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: PROOF OF PAYMENT.exe PID: 6816 Parent PID: 7064

                                                    General

                                                    Start time:18:20:21
                                                    Start date:21/01/2021
                                                    Path:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0x920000
                                                    File size:1168384 bytes
                                                    MD5 hash:DCF168394EF0A6D6774B099DD8493B75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.1031725645.0000000005EE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.1031725645.0000000005EE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: dhcpmon.exe PID: 5820 Parent PID: 3424

                                                    General

                                                    Start time:18:20:36
                                                    Start date:21/01/2021
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                    Imagebase:0xe60000
                                                    File size:1168384 bytes
                                                    MD5 hash:DCF168394EF0A6D6774B099DD8493B75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 2208 Parent PID: 5820

                                                    General

                                                    Start time:18:20:45
                                                    Start date:21/01/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmp5106.tmp'
                                                    Imagebase:0x1390000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 2044 Parent PID: 2208

                                                    General

                                                    Start time:18:20:46
                                                    Start date:21/01/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: dhcpmon.exe PID: 6780 Parent PID: 5820

                                                    General

                                                    Start time:18:20:46
                                                    Start date:21/01/2021
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0xa70000
                                                    File size:1168384 bytes
                                                    MD5 hash:DCF168394EF0A6D6774B099DD8493B75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Chronological Activities

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >

                                                      Analysis Process: PROOF OF PAYMENT.exe PID: 7064 Parent PID: 5900 PROOF OF PAYMENT.exeCOMMON

                                                      Executed Functions

                                                      Function 00E7C260, Relevance: 2.7, Strings: 2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 2WGx$2WGx
                                                      • API String ID: 0-965108585
                                                      • Opcode ID: 9510c59a3783cde85496be709c350ab8de707dbfa0ed23a03c67f480ace01b35
                                                      • Instruction ID: 716c7ab9928e415744d5b443e20922405f8fe1f9b4e65b625157aae8247ec8c0
                                                      • Opcode Fuzzy Hash: 9510c59a3783cde85496be709c350ab8de707dbfa0ed23a03c67f480ace01b35
                                                      • Instruction Fuzzy Hash: A1A117B0D04258DFDB24DFE5D854A9DBBB6FB89301F20A52EE41ABB265DB345841CF10
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E735F8, Relevance: 2.6, Strings: 2, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: "$plr
                                                      • API String ID: 0-728628365
                                                      • Opcode ID: 2bbc459b22341f427749c0b1cad1720d080eda36e1a4fc88fd2b24be902a172a
                                                      • Instruction ID: 2d34d7dd152e079fc199397ccfd3ea6ff82bf78ccee8b59e5bb3a8bfccd173ac
                                                      • Opcode Fuzzy Hash: 2bbc459b22341f427749c0b1cad1720d080eda36e1a4fc88fd2b24be902a172a
                                                      • Instruction Fuzzy Hash: 7E21D7B1E006189BDB18CFA7D9447DEBBB6AFC8310F14C16AD408A6264DB341A4A8F90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E71698, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00E71734
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: CheckDebuggerPresentRemote
                                                      • String ID:
                                                      • API String ID: 3662101638-0
                                                      • Opcode ID: 678c2ebd4be181e761e3c57a901b9cb9d8a24e625cafc1c884df4b2da4014b18
                                                      • Instruction ID: 4291084a620ea3dd41d582aa4158c2140c319bb94e3305a0ebfdfda01638cf98
                                                      • Opcode Fuzzy Hash: 678c2ebd4be181e761e3c57a901b9cb9d8a24e625cafc1c884df4b2da4014b18
                                                      • Instruction Fuzzy Hash: 0B41BCB9D05258DFCB00CFAAD484AEEFBF4AB09314F14906AE454B7250D778AA45CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E704F9, Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: <
                                                      • API String ID: 0-4251816714
                                                      • Opcode ID: 7888146efb5bcc1fdb9fd6e846c5602811aa25d5d826eb8ed3d550a5173b9c29
                                                      • Instruction ID: 67a9f0ea5b4755f865494ddcc254ec5a07468d77293625c78dfe6a611031d830
                                                      • Opcode Fuzzy Hash: 7888146efb5bcc1fdb9fd6e846c5602811aa25d5d826eb8ed3d550a5173b9c29
                                                      • Instruction Fuzzy Hash: FD51A471E04618DFDB58CFAAC9506DDFBF2AF89300F14C0AAD518AB265EB305A85CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E74498, Relevance: .3, Instructions: 308COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 357473c008d334ef23ad7d9e27704a175c959c37cba676475559bef09a152592
                                                      • Instruction ID: a510fcd7723d7e3b404582b9f9e7109ae041770c41080c7b644d45ba7b153242
                                                      • Opcode Fuzzy Hash: 357473c008d334ef23ad7d9e27704a175c959c37cba676475559bef09a152592
                                                      • Instruction Fuzzy Hash: 1BD13BB5E0420ADFCB04CF9AD4848AEFBB2FF89301B24E555D415BB255D7349A42DF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7448F, Relevance: .3, Instructions: 300COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4792206436b8e650f87a1482cb879f9dadb525b8e2054244832b59ae1e18a7b5
                                                      • Instruction ID: 985033ef5dd9270b40477e0d3b2d30dced5a54448de734cbb5e28d5cfbeabee9
                                                      • Opcode Fuzzy Hash: 4792206436b8e650f87a1482cb879f9dadb525b8e2054244832b59ae1e18a7b5
                                                      • Instruction Fuzzy Hash: 47D13CB1E0420ADFCB18CF9AD4848AEFBB2FF89301B24E555D415B7295D7349A42DF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E72450, Relevance: .2, Instructions: 207COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 636028503c5c88ad232fee81b1f33ed2615ae5016ec75bf9ca77aa9600d758a7
                                                      • Instruction ID: e6030933a38c8ddf9d7055dec164016f0230bb02aa57d1940de95910697ff512
                                                      • Opcode Fuzzy Hash: 636028503c5c88ad232fee81b1f33ed2615ae5016ec75bf9ca77aa9600d758a7
                                                      • Instruction Fuzzy Hash: B791C274E042198FDB08CFAAC9806DEBBB2AF89300F24D52AD519BB364D7349946CF55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E72BF8, Relevance: .2, Instructions: 157COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a9aa0322ae465f86099ecb5783541d76d5b8658f79c383802f85db3e381f4eb2
                                                      • Instruction ID: bdbafead6ef49da4092630eb8641abd17af43850b0be336d0db239cb534015ac
                                                      • Opcode Fuzzy Hash: a9aa0322ae465f86099ecb5783541d76d5b8658f79c383802f85db3e381f4eb2
                                                      • Instruction Fuzzy Hash: 07511570E042198FDB04CFAAC9406EEFBF2EF89300F24D56AD619B7255E7348941CB64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E718BF, Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6318f49ddc36c38b668ca6b8a84ccec09c13bb0fa8d69be322b87b92bcd5452
                                                      • Instruction ID: 133b75ca42e6ffc5f665e18d5177617790cd34e8e367725ec546949c5b535a1b
                                                      • Opcode Fuzzy Hash: c6318f49ddc36c38b668ca6b8a84ccec09c13bb0fa8d69be322b87b92bcd5452
                                                      • Instruction Fuzzy Hash: 6931F771E05618DFEB18DFAAD850A9EBBF3AFC9300F14C1AAD508A7264DB305A458F51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E76C5F, Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84c2a221a3d10092dddf9b555af514179d1870dcec303ae0e9e9b62eaa16b783
                                                      • Instruction ID: e56cf8b70b261e015ff27f6660d8e2da260b69208e6fa71cc565131de4520cc8
                                                      • Opcode Fuzzy Hash: 84c2a221a3d10092dddf9b555af514179d1870dcec303ae0e9e9b62eaa16b783
                                                      • Instruction Fuzzy Hash: E521B775E056188BEB58CF6BD84469EFBF3AFC8300F14C5BAD518B6264EB3009568F51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05088898, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 05088908
                                                      • GetCurrentThread.KERNEL32 ref: 05088945
                                                      • GetCurrentProcess.KERNEL32 ref: 05088982
                                                      • GetCurrentThreadId.KERNEL32 ref: 050889DB
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 5d62776815e215484c0e8fd2d8cc97d67fa94428f0ed9be189ee19d0d6e4d37e
                                                      • Instruction ID: a00f80a72450affbd8d6d5babe447c29cc2f9651316c6402b703beba631139a1
                                                      • Opcode Fuzzy Hash: 5d62776815e215484c0e8fd2d8cc97d67fa94428f0ed9be189ee19d0d6e4d37e
                                                      • Instruction Fuzzy Hash: 2F5153B09002498FDB14DFAAD548BEEBFF0BF48314F248959E099B7390CB345944CBA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 050888A8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 05088908
                                                      • GetCurrentThread.KERNEL32 ref: 05088945
                                                      • GetCurrentProcess.KERNEL32 ref: 05088982
                                                      • GetCurrentThreadId.KERNEL32 ref: 050889DB
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 5684576df02ff09d78efc3b53ad24774aa2252a8a1eb0c15a9c38e8af146852f
                                                      • Instruction ID: e94e0db87b40ce728abe42a788e10ef028e147417968a4c83ded5df904a08249
                                                      • Opcode Fuzzy Hash: 5684576df02ff09d78efc3b53ad24774aa2252a8a1eb0c15a9c38e8af146852f
                                                      • Instruction Fuzzy Hash: 725143B09006498FDB14DFAAD548BAEBFF0FF48314F248859E099B7350DB346944CB66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7A20C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OutputDebugStringW.KERNELBASE(?), ref: 00E7E4A2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: DebugOutputString
                                                      • String ID: TF
                                                      • API String ID: 1166629820-3254612780
                                                      • Opcode ID: 94cc046c22dcb017d61c0fbaeb09a0ac878f23b4220ead5e26d4a9058a6db86b
                                                      • Instruction ID: 6fe443a6a89122ec1f0bbb7dfc68d761824910473fe503d9849eb74035cbc5a2
                                                      • Opcode Fuzzy Hash: 94cc046c22dcb017d61c0fbaeb09a0ac878f23b4220ead5e26d4a9058a6db86b
                                                      • Instruction Fuzzy Hash: 3D31BBB4D002589FCB10CFAAD584ADEFBF5AF49314F14906AE818B7320E774A945CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05086470, Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(?), ref: 050866E2
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 68ac3a7def98026333d9fae58fc82cc4b22d8634df1c693253c8d027bdad1f1c
                                                      • Instruction ID: 4be4b22833f1b39aac3d297b64a7fb69f8f978347223f4cdb58ab3640146dcc3
                                                      • Opcode Fuzzy Hash: 68ac3a7def98026333d9fae58fc82cc4b22d8634df1c693253c8d027bdad1f1c
                                                      • Instruction Fuzzy Hash: 62911470A00A099FDB64DF69E544BAEBBF2BF48304F10892AE486E7750D735E805CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0508D04C, Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0508D219
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 8c4259f3f137ba5e93f29ced968945af3e745319c4e834f30d8a55aca17baeab
                                                      • Instruction ID: 7d3e1e30a8bfc9dce861fd843dce5b3fb976e052870e04282b3fbaa4990b0842
                                                      • Opcode Fuzzy Hash: 8c4259f3f137ba5e93f29ced968945af3e745319c4e834f30d8a55aca17baeab
                                                      • Instruction Fuzzy Hash: 17719AB5D00218DFDF20CFA9D984BDEBBF1BB1A304F1491AAE448A7250D734AA85CF44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0508D058, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0508D219
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 1a92f0912f5d6d0d090a5b4017ae2c917ac73a958a680b1970b0d70cb2550483
                                                      • Instruction ID: d1c6c49e9609bbaf9833a816099384b3efc83c5510c799fb9764255f90608cbd
                                                      • Opcode Fuzzy Hash: 1a92f0912f5d6d0d090a5b4017ae2c917ac73a958a680b1970b0d70cb2550483
                                                      • Instruction Fuzzy Hash: 497189B5D002189FDF20CFA9D984BDDBBF1BB0A304F1491AAE848A7251D734AA85CF55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 050823F5, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 050824F1
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 86fc2ad7d2aa7004cb73884c994f9069b35fe8f3e1350b1957b0d7232b4634bc
                                                      • Instruction ID: 1c6a1a31691a58b011e598bcb15f0aaf4f5e080006536f928c79f5731aeed9e1
                                                      • Opcode Fuzzy Hash: 86fc2ad7d2aa7004cb73884c994f9069b35fe8f3e1350b1957b0d7232b4634bc
                                                      • Instruction Fuzzy Hash: DC512771D0422DCFDB20DFA4C884BDEBBB5BF49304F1180A9D149AB210DB706A89CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05080B18, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 050824F1
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: a092cb22b2b46232c7ceeef15d3442e5dca086bbd6d0542273f6c1a247ce913a
                                                      • Instruction ID: 8e2f7e8bc9c856d789d2592ad27a054344ca1eca95e6425c868c43098e294bc7
                                                      • Opcode Fuzzy Hash: a092cb22b2b46232c7ceeef15d3442e5dca086bbd6d0542273f6c1a247ce913a
                                                      • Instruction Fuzzy Hash: CA5105B1D0422DCFDB20DFA4C880BDEBBB5BF45304F1180A9D549AB251DB716A89CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05088AC9, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05088B9B
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 7973c569be4dc72372587f15fde8ecb882fc95468a90670e573e62b162db10ed
                                                      • Instruction ID: a3a8fa91ad293114ac0412d0cba7538c4e52373b79f504e693620e23e17846fe
                                                      • Opcode Fuzzy Hash: 7973c569be4dc72372587f15fde8ecb882fc95468a90670e573e62b162db10ed
                                                      • Instruction Fuzzy Hash: 1F4165B9D042589FCF00CFA9D984ADEBBF4BB49320F14942AE918BB310D335A945CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05088AD0, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05088B9B
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 6cb051d0029c55fc8c7fb9ef38b2927db1c880e72ade4ef8f22b5c6f19a89128
                                                      • Instruction ID: 7753d16986aad1f3ea6bd3057e8d7ae3c30c5dfb4d0e0327cf0f88268ab87e23
                                                      • Opcode Fuzzy Hash: 6cb051d0029c55fc8c7fb9ef38b2927db1c880e72ade4ef8f22b5c6f19a89128
                                                      • Instruction Fuzzy Hash: 134156B9D042589FCF00CFA9D984ADEBBF5BF49320F14946AE918BB210D335A945CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05085E70, Relevance: 1.6, APIs: 1, Instructions: 105libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(?,?,?), ref: 05086A0A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 6e1894bd9a72f9a84e7ba0b5e96dba3ad7e508126f49a4a86b9236d986d85c2f
                                                      • Instruction ID: 8ea25c8ba19fc4b3624bcb14d6d2e5e2d3c874dd67a018f24113d52aa8f3352e
                                                      • Opcode Fuzzy Hash: 6e1894bd9a72f9a84e7ba0b5e96dba3ad7e508126f49a4a86b9236d986d85c2f
                                                      • Instruction Fuzzy Hash: 1241BAB5D042599FCB00CFA9E884AEEFBF4BB19310F15806AE854BB210D375A945CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0508C614, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 0508F881
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: 37b13518cf4ad36e69d47bb74de7977f83ae3a4b6ccccdbbc675cbdae9a71de0
                                                      • Instruction ID: 305769b977af5f696300e0de989917bd36e87591d13a4a26f031428e9bda5376
                                                      • Opcode Fuzzy Hash: 37b13518cf4ad36e69d47bb74de7977f83ae3a4b6ccccdbbc675cbdae9a71de0
                                                      • Instruction Fuzzy Hash: 174149B4A0020ADFDB14DF59D488FAEBBF5FF88314F158859E459AB321C734A841CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05085E88, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(?,?,?), ref: 05086A0A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: fab5f38f84b53101d594cb09524a5cddfdc4e6e79c56366412e6adc8a9af9d69
                                                      • Instruction ID: 4b91dd3e8efbb568de7cf2b5561dbafc65478bc5b6751acb768879520a2a992d
                                                      • Opcode Fuzzy Hash: fab5f38f84b53101d594cb09524a5cddfdc4e6e79c56366412e6adc8a9af9d69
                                                      • Instruction Fuzzy Hash: E14199B4D04258DFCB10CFAAE884AAEFBF5BB59310F14906AE854BB310D335A945CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05086958, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(?,?,?), ref: 05086A0A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: c7157dfe6487a3006f86eb7a13e481f8065fbf5985fd2bcd8d5afb89b1b73916
                                                      • Instruction ID: c22e90e3f9c41edd9bacabd45ba7684d2002f9229650968b557ea68f180c4084
                                                      • Opcode Fuzzy Hash: c7157dfe6487a3006f86eb7a13e481f8065fbf5985fd2bcd8d5afb89b1b73916
                                                      • Instruction Fuzzy Hash: 654199B5D002589FCB10CFAAE884AEEFBF5BB59310F14906AE854B7310D335A945CF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7A038, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00E7A0DF
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 7dff393b64dbd7596a3b68f8aa5daa9609b163eb01d14bfaca55243a49a79646
                                                      • Instruction ID: 844fc28fb309ee14b61529265d218554e2b8717486d8fc8e0a9cda526c702388
                                                      • Opcode Fuzzy Hash: 7dff393b64dbd7596a3b68f8aa5daa9609b163eb01d14bfaca55243a49a79646
                                                      • Instruction Fuzzy Hash: 07319BB5D042589FCF10CFA9D484ADEFBB0BB59310F14902AE814B7210D775A945CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E717B8, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00E7185F
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 275f0ea48a81f9e95c4476a1a6de4ebd40d4755e15eb2f6b8aeb47c229e07854
                                                      • Instruction ID: 9b802fa140473274b8ddec34cf91153a4f8c1a21973be369e0440e550542d65a
                                                      • Opcode Fuzzy Hash: 275f0ea48a81f9e95c4476a1a6de4ebd40d4755e15eb2f6b8aeb47c229e07854
                                                      • Instruction Fuzzy Hash: EE3199B9D042589FCF10CFAAD484ADEFBB0BB59310F24902AE818B7210D775A945CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05084F72, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemMetrics.USER32(0000004B), ref: 05084FE5
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: MetricsSystem
                                                      • String ID:
                                                      • API String ID: 4116985748-0
                                                      • Opcode ID: a565dca38de96f90f8c810072d77c238af7e424ea3cb7d3d6d4b8707f57d970b
                                                      • Instruction ID: 22ad7d9607468dd2786382f68c4b5e1b9e0a1f0c17b70d1aaf27fb508816a9b2
                                                      • Opcode Fuzzy Hash: a565dca38de96f90f8c810072d77c238af7e424ea3cb7d3d6d4b8707f57d970b
                                                      • Instruction Fuzzy Hash: 9A31C17090438A8FDB20EF65E885BEE7FF8AB14318F144099E4D5A7246CB3D9644CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05086650, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(?), ref: 050866E2
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 1342ae23173fe6d9b8caeeae73d0c6119570ba323edd01e81b2ab601ac019e6f
                                                      • Instruction ID: 3b0454a40ddc4833bfe8d288b3ba7c0192253a3830d60b65c8df7c8d6c4270e0
                                                      • Opcode Fuzzy Hash: 1342ae23173fe6d9b8caeeae73d0c6119570ba323edd01e81b2ab601ac019e6f
                                                      • Instruction Fuzzy Hash: D731AAB4D002599FCB14CFAAE584AEEFBF5BB49314F14802AE858B7310D735A945CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E2D01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697500058.0000000000E2D000.00000040.00000001.sdmp, Offset: 00E2D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43cd09554a406052481ee6d121c5674bcf042f7525a0796f41b84836c81ce7da
                                                      • Instruction ID: 859e30b601f29c7a262e7ff44848f5a1342ef0188b02bbc8a2f88841f7a532ea
                                                      • Opcode Fuzzy Hash: 43cd09554a406052481ee6d121c5674bcf042f7525a0796f41b84836c81ce7da
                                                      • Instruction Fuzzy Hash: A22104B160C240DFDB14CF14ECC4F66BB66FB84318F24CA69DA4A5B256C73AD847CA61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E2D005, Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697500058.0000000000E2D000.00000040.00000001.sdmp, Offset: 00E2D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d0d5d80d9586ee8cd93a3dc7ddaca206c7c40b7e884f7c4d9c989d78126349b
                                                      • Instruction ID: 6ebefbf7f395d365f13222ed08330dcf347f1b3c0fdbbe28c8ecfbf0cccf564b
                                                      • Opcode Fuzzy Hash: 3d0d5d80d9586ee8cd93a3dc7ddaca206c7c40b7e884f7c4d9c989d78126349b
                                                      • Instruction Fuzzy Hash: B021837550D3C08FDB12CF24D994B15BF71EB46314F28C5DAD8498B667C33A980ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E1D731, Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697478060.0000000000E1D000.00000040.00000001.sdmp, Offset: 00E1D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 999716a355910230e751a44d2edc8f5e201debd3cfae31e58a0913a990c39f5d
                                                      • Instruction ID: 3858aab34c44f42d71cf0c2ad7b5e9b4e0000a9e90e3ee1754c4818f17867862
                                                      • Opcode Fuzzy Hash: 999716a355910230e751a44d2edc8f5e201debd3cfae31e58a0913a990c39f5d
                                                      • Instruction Fuzzy Hash: E801F77140C354AAE7104A22CCC4BE6FB98EF41338F18D61BEE056B2C2C378AC84C6B1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E1D730, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697478060.0000000000E1D000.00000040.00000001.sdmp, Offset: 00E1D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 03508e51df9c2731819334d05687096a5cfe9dee2d5090af4e70ba328dd71c1a
                                                      • Instruction ID: 9178d07b81ae35a9b1a636ef979d2cd999a5181aaba75c2647fc3a47adc9a50f
                                                      • Opcode Fuzzy Hash: 03508e51df9c2731819334d05687096a5cfe9dee2d5090af4e70ba328dd71c1a
                                                      • Instruction Fuzzy Hash: 4BF06871408344AAE7108A16DCC4BA6FB98EB91779F18C55AED485F286C3799884CA71
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 00E76810, Relevance: 3.9, Strings: 3, Instructions: 173COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A/^f$A/^f$A/^f
                                                      • API String ID: 0-1383570854
                                                      • Opcode ID: 27e7c90be8fe0777720084d1f40d51ae55db6269271beed188f4217f1795babe
                                                      • Instruction ID: c404e2c5d05e99ce55faec6f945b7d5e0de47d9d5ba52374df0b7f2bffc2fb4a
                                                      • Opcode Fuzzy Hash: 27e7c90be8fe0777720084d1f40d51ae55db6269271beed188f4217f1795babe
                                                      • Instruction Fuzzy Hash: 8371D474E056198FDB08CFAAD5815DEFBF2FB89314F24E429D409BB224D3349A428B65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E76800, Relevance: 3.9, Strings: 3, Instructions: 172COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: A/^f$A/^f$A/^f
                                                      • API String ID: 0-1383570854
                                                      • Opcode ID: ebcfd0b5b166c009fa59ce747469d02f0f242b94d196692af01318bfd5f4e865
                                                      • Instruction ID: 87ff52698f0fac051518f4325d04982002e1718d59134066ba918c8baceb8c76
                                                      • Opcode Fuzzy Hash: ebcfd0b5b166c009fa59ce747469d02f0f242b94d196692af01318bfd5f4e865
                                                      • Instruction Fuzzy Hash: 0271F574E056098FDB08CFAAD5415DEFBF2FF88314F24E42AD409BB224D7349A418B69
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7B5B0, Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (`
                                                      • API String ID: 0-2022084096
                                                      • Opcode ID: 6ea99fd1d24a0fdc3275023199c954dc662bf3462ec6814f0de285c59c74d33d
                                                      • Instruction ID: 8714109949803f6652f806b9c38f9e417afff1eb39ede980e1a21d5c73ed7618
                                                      • Opcode Fuzzy Hash: 6ea99fd1d24a0fdc3275023199c954dc662bf3462ec6814f0de285c59c74d33d
                                                      • Instruction Fuzzy Hash: 25B14B74E042199BCB14DFA9C5806AEFBB2FF89304F24D169D519BB34AD7309A42CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E75F60, Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ]
                                                      • API String ID: 0-1481507288
                                                      • Opcode ID: c82d71e59661404d914c8bd3985193965458709826c1adfc7c52a5e99d0442a9
                                                      • Instruction ID: f2ce2685f26d2c919a3b314c4356d87af96d825eb5d5f6de4cfb1489eafc1283
                                                      • Opcode Fuzzy Hash: c82d71e59661404d914c8bd3985193965458709826c1adfc7c52a5e99d0442a9
                                                      • Instruction Fuzzy Hash: AA71F3B5E0560A9FCB48CF99C5808EEFBB2FF89310F14D51AD419BB215D334A9828F95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0508B450, Relevance: .3, Instructions: 315COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2074f29f2a525a34bfcb067e191e0ce6d1ecf10b1587f10ee0cbf76886e9cd6
                                                      • Instruction ID: deaf629bd7ffb2587beb3f0e291b3b4853459c825e51e399cdae64971136a0fb
                                                      • Opcode Fuzzy Hash: f2074f29f2a525a34bfcb067e191e0ce6d1ecf10b1587f10ee0cbf76886e9cd6
                                                      • Instruction Fuzzy Hash: ED12C0B14117468AE331DF65ECD86C97BA0F745328F904288D2E17BAE9D7BE114ACF84
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0508942C, Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 236e4285e4b1e85706a38e10b1788201754092bf0cc42ce5d8d0ccdfb3eb6445
                                                      • Instruction ID: 1cf500311e030d93d03d610b6978df4b15c8ac85be9ab104084b3116f01c653f
                                                      • Opcode Fuzzy Hash: 236e4285e4b1e85706a38e10b1788201754092bf0cc42ce5d8d0ccdfb3eb6445
                                                      • Instruction Fuzzy Hash: 7AA18D32F00219CFCF05EFA5D8449EEB7B2FF89310B15856AE945BB221EB35A905CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0508B440, Relevance: .2, Instructions: 222COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 44b4ee426c55aa396617811d9784be71142a53b6df09d78cfa65d2b9d09a6d17
                                                      • Instruction ID: 15db2860da1395d9509b24c9e676a8ac89db54d1520920a5b99087c903b6e2f6
                                                      • Opcode Fuzzy Hash: 44b4ee426c55aa396617811d9784be71142a53b6df09d78cfa65d2b9d09a6d17
                                                      • Instruction Fuzzy Hash: 06C116B18117468BE720DF65ECD85C97BB1FB85328F504288D2A17BAD8D7BE104ACF84
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E75360, Relevance: .2, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 914f045fcdab077de1a96e09d32ef4dfc0dc0651fb25a0291f1c2bcc6eccca34
                                                      • Instruction ID: 6e19e6c311e9c41e0aeaa0c6f31c26b24d5f7340aeb60e6c532f951131c287fe
                                                      • Opcode Fuzzy Hash: 914f045fcdab077de1a96e09d32ef4dfc0dc0651fb25a0291f1c2bcc6eccca34
                                                      • Instruction Fuzzy Hash: 3E810375E14619DFCB04CFA9C98489EFBF2FF88350B24955AE419BB224D370AA42CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7A880, Relevance: .2, Instructions: 186COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6010ba63f861724ac0a3ba9c1124e1dacffe55f64f350a637d62f09dcc8eecbd
                                                      • Instruction ID: 2ea40ec2ef85440f314e2c2124f306f9d96566c0e5e6c1025d268b3b72ce3877
                                                      • Opcode Fuzzy Hash: 6010ba63f861724ac0a3ba9c1124e1dacffe55f64f350a637d62f09dcc8eecbd
                                                      • Instruction Fuzzy Hash: 9C816C74E142199BDB14DFAAC9804AEFBB2FB89304F28D169D419B7349D7309A42CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E76270, Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b9f87408996e27d2996f9dd53b378b36776c59b88437446682cb1ce84912c08
                                                      • Instruction ID: ff52ebcf74a603bfa7cfb10f7959402e28dc551159e83cb1949c71be5b5042dc
                                                      • Opcode Fuzzy Hash: 7b9f87408996e27d2996f9dd53b378b36776c59b88437446682cb1ce84912c08
                                                      • Instruction Fuzzy Hash: 8A5105B0E046499FCB04CFA6C8806EEFBB2BB49304F14D06AE469BB255D7349A45CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E765F0, Relevance: .1, Instructions: 107COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0833f2df6923c0f7ae56ce8fdae3014c317e725acfdbfc979a8388fbb0969879
                                                      • Instruction ID: 6b1c1599855b179c37a084994cdfb03a03305a1b8dc47f160a451f18d3dc61bb
                                                      • Opcode Fuzzy Hash: 0833f2df6923c0f7ae56ce8fdae3014c317e725acfdbfc979a8388fbb0969879
                                                      • Instruction Fuzzy Hash: 4C41C8B0D0460ADBCB08CFAAC5815EEFBF2FB89304F24D46AD419B7254D7359A418F95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E765E7, Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c093a22e87f1996c012833248fa9fa43d8edd64f09a738968d8725b63c04dbe1
                                                      • Instruction ID: eecba85393725e60a541a77e2858661b189e5e6676001bd2a2e9e05385176836
                                                      • Opcode Fuzzy Hash: c093a22e87f1996c012833248fa9fa43d8edd64f09a738968d8725b63c04dbe1
                                                      • Instruction Fuzzy Hash: 0141D5B0D0460A9FDB08CFAAC5815AEFBF2FB88304F24D46AD419B7254D7349A418FA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E76AA0, Relevance: .1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5208d31df8bbea60c4f266ef0b8897d8fde1b95b5f2ed2f9ac02caed61f0c885
                                                      • Instruction ID: 5dcf38f1ea9b2569e259de6bb010a683943099b5496f4b1895cec3c9d432f74b
                                                      • Opcode Fuzzy Hash: 5208d31df8bbea60c4f266ef0b8897d8fde1b95b5f2ed2f9ac02caed61f0c885
                                                      • Instruction Fuzzy Hash: AD41F3B0E0560ADBCB44CFAAC5815EEFBF2FB89304F24D56AC409B7214E7349A41CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E76A97, Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 755a3495c711a7db6ebf944812f3f5a6f427b732741e593cef2d9038b6212b76
                                                      • Instruction ID: 2f9aeaef9cfa44d77ea83d4a3488adb9c3823bc0a0a07d4ebc4c31b2f5e36a06
                                                      • Opcode Fuzzy Hash: 755a3495c711a7db6ebf944812f3f5a6f427b732741e593cef2d9038b6212b76
                                                      • Instruction Fuzzy Hash: DE41E4B0E0560ADFDB44CFAAC5815AEFBF2FB89300F24D56AC419B7214E7349A41CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7784F, Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.697563863.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c601c693728f061248f709a86f9917db11adc1f050673fa6e072382306a4a444
                                                      • Instruction ID: 3f6db7d4882f5d447ab4def37ba1243fd5105e886b1fc010c0e232023d9b89f6
                                                      • Opcode Fuzzy Hash: c601c693728f061248f709a86f9917db11adc1f050673fa6e072382306a4a444
                                                      • Instruction Fuzzy Hash: 1A413FB1E116588BEB5CCF6B8D4479EFAF3BFC8301F14C1BA954CA6265DB3409858E11
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0508C55C, Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7ac747218acef3f847e87d6ba48f7ea737cfa63cf63d6a9772eaf86a169720d7
                                                      • Instruction ID: e1ab7466fdb238c23bfe1426bd2e69a607783cde95dc0999b9aa071c4c43d91f
                                                      • Opcode Fuzzy Hash: 7ac747218acef3f847e87d6ba48f7ea737cfa63cf63d6a9772eaf86a169720d7
                                                      • Instruction Fuzzy Hash: F431B9B5D05218AFCB10DFA9E984AEEFBF5BB49310F24902AE804B7350D334A945CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0508DF28, Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.705119960.0000000005080000.00000040.00000001.sdmp, Offset: 05080000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5762b4d5e31d8393d6aaac3244bc9b0ea7cc35a21febcca3bda1103f964108c9
                                                      • Instruction ID: 2c8c7fa0ff18f18eab691a431252ae2b4a1a33ff4e9c06ceee1bc53c838d306d
                                                      • Opcode Fuzzy Hash: 5762b4d5e31d8393d6aaac3244bc9b0ea7cc35a21febcca3bda1103f964108c9
                                                      • Instruction Fuzzy Hash: 6C31A8B5D01218AFCB10CFA9E984AAEFBF5BB49310F24902AE844B7310D334A945CF94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Analysis Process: PROOF OF PAYMENT.exe PID: 6816 Parent PID: 7064 PROOF OF PAYMENT.exeCOMMON

                                                      Executed Functions

                                                      Function 06363558, Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1032263613.0000000006360000.00000040.00000001.sdmp, Offset: 06360000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aee15661c2904759018bf46f5d2ec28b2f7bf62e47585a78070c8d23e92b1a28
                                                      • Instruction ID: ca4703c5ce0e914418404790eaf7497a60016f3ea37cc64f63a4e7affbd3ecdc
                                                      • Opcode Fuzzy Hash: aee15661c2904759018bf46f5d2ec28b2f7bf62e47585a78070c8d23e92b1a28
                                                      • Instruction Fuzzy Hash: 7E8188B1D04219CFEB10DFAAC8806DEFBB5FF88304F20852AE515AB254DB749949CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02CD93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02CD962E
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027944804.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: e54b3dfecfdc487f659ca496ca146b55c0f2fbf190462ff732fe9f6169f47286
                                                      • Instruction ID: a7ae2037559d66d39cf2ff23ed8b3fe4d4d7eb9481e8c66e402d83895fc3865f
                                                      • Opcode Fuzzy Hash: e54b3dfecfdc487f659ca496ca146b55c0f2fbf190462ff732fe9f6169f47286
                                                      • Instruction Fuzzy Hash: 7F711474A00B058FD764DF2AD44479AB7F1BF88314F008A2EE68AD7A50DB74E945CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02CDFB61, Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02CDFD0A
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027944804.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 69d8e3972a017f717a47f9f64ee7511f08e85947b90f0f9bb5190cec7f23e590
                                                      • Instruction ID: 53b839b1ad385a161d049fb13ba033dd4957ed74830494fc4d837e7b422e35d7
                                                      • Opcode Fuzzy Hash: 69d8e3972a017f717a47f9f64ee7511f08e85947b90f0f9bb5190cec7f23e590
                                                      • Instruction Fuzzy Hash: 116133B2C04289AFDF02CFA5D880ADDBFB1FF49304F19816AE949AB221D7349955CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06363604, Relevance: 1.6, APIs: 1, Instructions: 141networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06363738
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1032263613.0000000006360000.00000040.00000001.sdmp, Offset: 06360000, based on PE: false
                                                      Similarity
                                                      • API ID: Query_
                                                      • String ID:
                                                      • API String ID: 428220571-0
                                                      • Opcode ID: d76e4e189893820e3c992a870401e333bcd3a68ab8d22e9611f2108fbce2e8d4
                                                      • Instruction ID: 603abecfc37f8555f371346f42e3c5b80480abb894c6d03716e19c8aba5f87a9
                                                      • Opcode Fuzzy Hash: d76e4e189893820e3c992a870401e333bcd3a68ab8d22e9611f2108fbce2e8d4
                                                      • Instruction Fuzzy Hash: BE5114B1D00259DFEF14CFA9C8816DEBBB1FF48314F24812AE815A7254DBB49946CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0636190C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06363738
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1032263613.0000000006360000.00000040.00000001.sdmp, Offset: 06360000, based on PE: false
                                                      Similarity
                                                      • API ID: Query_
                                                      • String ID:
                                                      • API String ID: 428220571-0
                                                      • Opcode ID: 26e319dfa39ae147090adedb99d2d613a0be5248b52304f3a4d7b87a9bfd2d90
                                                      • Instruction ID: 2ac5d235db8ae0e78ac600be06ded2a9b2f0504a7cd2605d12c1f59e86db1026
                                                      • Opcode Fuzzy Hash: 26e319dfa39ae147090adedb99d2d613a0be5248b52304f3a4d7b87a9bfd2d90
                                                      • Instruction Fuzzy Hash: 2F5123B1D00259DFEF10CFAAC8806DEBBB5FF48304F24852AE815A7254DBB4A945CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02CDDA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02CDFD0A
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027944804.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 3c93e511b06f8fb839f398ab1f22c13dec67542b007c1a36e2e7d6cc231945c1
                                                      • Instruction ID: 98ca12ec592321126913383a616ed536ca61db37a546f18a746ac0d445c6ccd4
                                                      • Opcode Fuzzy Hash: 3c93e511b06f8fb839f398ab1f22c13dec67542b007c1a36e2e7d6cc231945c1
                                                      • Instruction Fuzzy Hash: C951B0B1D00309AFDB14CF9AD884ADEBBB5FF88314F24852AE919AB210D7749945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02CDA14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CDBCC6,?,?,?,?,?), ref: 02CDBD87
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027944804.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: a14989b225984734a09fe772ac0ebad081a1f063f1f3bb525f395e66e66e1029
                                                      • Instruction ID: 002de329fb48148cb5c24bad9db56bf9e357ef6e0a3a9bff961aa5a774678c26
                                                      • Opcode Fuzzy Hash: a14989b225984734a09fe772ac0ebad081a1f063f1f3bb525f395e66e66e1029
                                                      • Instruction Fuzzy Hash: 8D21E6B5900248EFDB10CF9AD584BDEBFF4EB48324F15841AE954A3310D378A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02CDBCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CDBCC6,?,?,?,?,?), ref: 02CDBD87
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027944804.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 53dbed38d6c9b4b9122f514fa3c66237ca4401b9abd0525ae79a2bbcf014ae9c
                                                      • Instruction ID: 721e662441ab60bcbce1b04c2b8fdaa3b1bd5fb73861c67ca49fd9fafafd1baf
                                                      • Opcode Fuzzy Hash: 53dbed38d6c9b4b9122f514fa3c66237ca4401b9abd0525ae79a2bbcf014ae9c
                                                      • Instruction Fuzzy Hash: DC21E6B5900249AFDB10CF9AD584BDEBFF4EB48324F15841AE954A3310C378A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02CD8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02CD96A9,00000800,00000000,00000000), ref: 02CD98BA
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027944804.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 4a55388a7822675f90f4235add52fbe69facfc2716830661ff5c8dffb675f726
                                                      • Instruction ID: 5a2e18a81c227ca325a5aea971d7d00675ffafe3467a7863045dba04838a6102
                                                      • Opcode Fuzzy Hash: 4a55388a7822675f90f4235add52fbe69facfc2716830661ff5c8dffb675f726
                                                      • Instruction Fuzzy Hash: D91103B6D002499FDB10CF9AD844BDEBBF4EF88724F04842EE519A7600C374A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02CD9849, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02CD96A9,00000800,00000000,00000000), ref: 02CD98BA
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027944804.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: e82b02c72e5ebbe9f082ddbd4e02409c73a636cd7bd2dae49748c5e2e69fca80
                                                      • Instruction ID: 27ca18f21041db0ee5e94f0d1bc07dd907ceb4947e9019940f1ba375e64eb932
                                                      • Opcode Fuzzy Hash: e82b02c72e5ebbe9f082ddbd4e02409c73a636cd7bd2dae49748c5e2e69fca80
                                                      • Instruction Fuzzy Hash: F71112B6D002499FDB10CF9AD944BDEBBF4AF88324F05842AD519B7600C378A645CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02CD95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02CD962E
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027944804.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 69ac4ffeebb7d9682ecf14180ce79fc04da38a4210199459b4e2d94b4ddc4a6e
                                                      • Instruction ID: 5c01441e47d06cfeb2706d6f6b1c6b9f74761d0f12d29b4d20c5480d4feceb28
                                                      • Opcode Fuzzy Hash: 69ac4ffeebb7d9682ecf14180ce79fc04da38a4210199459b4e2d94b4ddc4a6e
                                                      • Instruction Fuzzy Hash: D211E0B9D006898FDB10CF9AD444BDEFBF4EF88224F14842AD569B7610C378A546CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02CDDA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02CDFE28,?,?,?,?), ref: 02CDFE9D
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027944804.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: 37ca25e335b206651358189d035bfb0fd5126c02b582d46f932dcfd5e701f5f7
                                                      • Instruction ID: e12a266b38e2ba11d0a08af3297474caed874e53c7a3a8d822a0ca7b01088609
                                                      • Opcode Fuzzy Hash: 37ca25e335b206651358189d035bfb0fd5126c02b582d46f932dcfd5e701f5f7
                                                      • Instruction Fuzzy Hash: 6A1136B58002889FDB10DF9AD484BDFBBF8FB88324F10841AE959A3701C374A940CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02CDFE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02CDFE28,?,?,?,?), ref: 02CDFE9D
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027944804.0000000002CD0000.00000040.00000001.sdmp, Offset: 02CD0000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: 09bb4d1c5a10ca09adf355ca9058c11a21d750bcbd5f678048e46a999bb04fe0
                                                      • Instruction ID: d58d37508ba11d92e1ac0419860b52934e72857c49daf599e3b0068d61304dda
                                                      • Opcode Fuzzy Hash: 09bb4d1c5a10ca09adf355ca9058c11a21d750bcbd5f678048e46a999bb04fe0
                                                      • Instruction Fuzzy Hash: 6B11F2B5800649CFDB10CF99D589BDEBBF8EB48324F14881AD959B3641C378AA44CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0100D4A0, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027012319.000000000100D000.00000040.00000001.sdmp, Offset: 0100D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65e2977e69e260ba233fd212482d4054437f5f2d88f6d84d01e00d615f846379
                                                      • Instruction ID: fd968f08c50e182950027972b4a7431dbd95e06fbb99617e3c6440ae64eeb113
                                                      • Opcode Fuzzy Hash: 65e2977e69e260ba233fd212482d4054437f5f2d88f6d84d01e00d615f846379
                                                      • Instruction Fuzzy Hash: F62128B1504240DFEB02CF94D8C0B6ABFA5FB84328F2486A9ED454B287C736D856C7B1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0100D3B4, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027012319.000000000100D000.00000040.00000001.sdmp, Offset: 0100D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 73d8f92822d3a34bd0a3d1f1ad0389f6aa511e993df7efcf71007ef28e3ac728
                                                      • Instruction ID: 6e22b94f62de5a1bec0daf8cc629099037f49109985653c675a779e258f7a54d
                                                      • Opcode Fuzzy Hash: 73d8f92822d3a34bd0a3d1f1ad0389f6aa511e993df7efcf71007ef28e3ac728
                                                      • Instruction Fuzzy Hash: F0213AB1504240DFEB06CF94D8C0B5ABFA5FB84324F25C6A9E9854B287C736E856C7B1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0101D01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027054518.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 035fbb44f4d0dead033a83f7be89ac8985bda530c2a28210b1e72b8582fabe6a
                                                      • Instruction ID: 224b474065ae6e4d5ec760c1a61281ebb92ed16c7a3e296b2232d05896eeeedd
                                                      • Opcode Fuzzy Hash: 035fbb44f4d0dead033a83f7be89ac8985bda530c2a28210b1e72b8582fabe6a
                                                      • Instruction Fuzzy Hash: 1A213775504240DFDB16CF54D8C8B16BBA5FB84354F24CAADE9894B24AC33ED847CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0100D49B, Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027012319.000000000100D000.00000040.00000001.sdmp, Offset: 0100D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                                      • Instruction ID: 45b583d7e6696a4514b8cd719f4286336823206e85e5365807b9e1c7c449f4e3
                                                      • Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                                      • Instruction Fuzzy Hash: 7911B176804280DFEB12CF54D5C4B16BFB1FB84324F2486A9DD450B65BC33AD456CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0100D3AF, Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027012319.000000000100D000.00000040.00000001.sdmp, Offset: 0100D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                                      • Instruction ID: 141a94bdfb0fed6a2f591856802f6d8dca8e4e731fe23329052d889d1133d303
                                                      • Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                                      • Instruction Fuzzy Hash: 8D11B176404280DFDB12CF54D5C4B56BFB1FB84324F24C6A9D8450B657C33AE456CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0101D017, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000007.00000002.1027054518.000000000101D000.00000040.00000001.sdmp, Offset: 0101D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
                                                      • Instruction ID: 87c120309a409d7b48ebb46184a3335db427bad7a1a99af3c853f50340fe45d3
                                                      • Opcode Fuzzy Hash: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
                                                      • Instruction Fuzzy Hash: 05119075504280DFDB12CF54D5C8B15FFB1FB44314F24C6AAE8494B65AC33AD45ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Analysis Process: dhcpmon.exe PID: 5820 Parent PID: 3424 dhcpmon.exeCOMMON

                                                      Executed Functions

                                                      Function 031D15A9, Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 031D1734
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.755003136.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                      Similarity
                                                      • API ID: CheckDebuggerPresentRemote
                                                      • String ID:
                                                      • API String ID: 3662101638-0
                                                      • Opcode ID: 166d24a464cf466d1ab1f185f7e10bf855a8124a6c42fbea48149c9784cb5ee7
                                                      • Instruction ID: 2259b7cc6e9f9d048af9cda3f144e4d7db8274f2831f6551a5895f800722317e
                                                      • Opcode Fuzzy Hash: 166d24a464cf466d1ab1f185f7e10bf855a8124a6c42fbea48149c9784cb5ee7
                                                      • Instruction Fuzzy Hash: F85149B5D05298DFCB00CFA9D884BDDBBB0BB1A311F59855AD484B7301D738A649CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 031D1698, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 031D1734
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.755003136.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                      Similarity
                                                      • API ID: CheckDebuggerPresentRemote
                                                      • String ID:
                                                      • API String ID: 3662101638-0
                                                      • Opcode ID: f2cacb1d76d46b0435a1265abd667f035677b8adbcc666e7f8f1b57196b809e4
                                                      • Instruction ID: b6a8d7fa1c2b61b5a0eb5450972511718f76365e4ab5b5ad98b2a333c6c8cace
                                                      • Opcode Fuzzy Hash: f2cacb1d76d46b0435a1265abd667f035677b8adbcc666e7f8f1b57196b809e4
                                                      • Instruction Fuzzy Hash: 1F41CAB8D05258DFCB00CFA9D484AEEFBF4AB09310F14806AE414B7210D738AA89CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 031D17B1, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 031D185F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.755003136.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: d5712d319615ef95ffb45cb66302609daae91185eb40357d609944f04461439a
                                                      • Instruction ID: a6ecefe9061a853646e78b9d342607d412022f51797a672667feb6dff8ffb5b4
                                                      • Opcode Fuzzy Hash: d5712d319615ef95ffb45cb66302609daae91185eb40357d609944f04461439a
                                                      • Instruction Fuzzy Hash: 823189B9D04258AFCF10CFA9D884AEEFBB0BF59310F14902AE814B7210D775A945CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 031D17B8, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 031D185F
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.755003136.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 22aba9a5ed65eaec302f1632a72661f3d8af7704ac18e2e6936b3b8930e1bdd6
                                                      • Instruction ID: 743c7294006f9fbf4566d5a3d678ee5ea4184f5a8a9b313ffbf6940f3d63b414
                                                      • Opcode Fuzzy Hash: 22aba9a5ed65eaec302f1632a72661f3d8af7704ac18e2e6936b3b8930e1bdd6
                                                      • Instruction Fuzzy Hash: F43199B9D04258AFCF10CFA9D884ADEFBB0BB59310F14902AE814B7210D774A945CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 031DA038, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 031DA0DF
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.755003136.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 8a2347cac4296831d7d37214a3f0899548058e41d924afb403b7716bc21e06aa
                                                      • Instruction ID: 35222112b456813f16df99ded15ffdfc557bc2362262861292d822923160c7b9
                                                      • Opcode Fuzzy Hash: 8a2347cac4296831d7d37214a3f0899548058e41d924afb403b7716bc21e06aa
                                                      • Instruction Fuzzy Hash: 793177B9D042589FCF10CFA9E984ADEFBB5BF19310F14902AE814B7210D775A985CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 031DC978, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OutputDebugStringW.KERNELBASE(?), ref: 031DCA12
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.755003136.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                      Similarity
                                                      • API ID: DebugOutputString
                                                      • String ID:
                                                      • API String ID: 1166629820-0
                                                      • Opcode ID: ed7014d3165f48b0a7927ce0eebdc2a0e47999a027487ee59ed8a1756302568d
                                                      • Instruction ID: 4b9bfa121f137d6fec50d6ca107cdceae8359e57d85e545dd64a938fbc365fd9
                                                      • Opcode Fuzzy Hash: ed7014d3165f48b0a7927ce0eebdc2a0e47999a027487ee59ed8a1756302568d
                                                      • Instruction Fuzzy Hash: C831C8B4D002599FCB14CFAAD984ADEFBF5AF49314F14902AE818B7320D734A945CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0179D01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.754763867.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9102f2106d6f3038bd652f13c9ec56cf1a99fb95f76ade50e919df919665091b
                                                      • Instruction ID: 1264dafd13b6378af86a32de4a0fb093f037d02f0f93751410a79fb00bb4ec5d
                                                      • Opcode Fuzzy Hash: 9102f2106d6f3038bd652f13c9ec56cf1a99fb95f76ade50e919df919665091b
                                                      • Instruction Fuzzy Hash: A02137B1604240DFDF25CF58E4C4B16FB65FB84354F24C6A9D9494B246C33AD80BCB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0179D017, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.754763867.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
                                                      • Instruction ID: 86b73f80940ade3c5d6d2e6b3b2ad7dc753251f106fae0f4a87c6c714ff0bc6d
                                                      • Opcode Fuzzy Hash: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
                                                      • Instruction Fuzzy Hash: 8811BE75504280DFDB12CF58E5C4B15FB71FB44314F24C6AAD8494B656C33AD44ACB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0158D731, Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.754337191.000000000158D000.00000040.00000001.sdmp, Offset: 0158D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2c3bc04b7eda0121a034b90213b2f1a6a91d15fba27439389cf206e86001f321
                                                      • Instruction ID: 337b9f0b54f54c0d6a2cfe295f007a2463fcc35774a9990b0b06fcda593a328a
                                                      • Opcode Fuzzy Hash: 2c3bc04b7eda0121a034b90213b2f1a6a91d15fba27439389cf206e86001f321
                                                      • Instruction Fuzzy Hash: F601FC714083C4AAF7107A55CC84B66BBF8FF41238F08C515EE04AF2C2C378A844C6B1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0158D730, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000C.00000002.754337191.000000000158D000.00000040.00000001.sdmp, Offset: 0158D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d1fe59aabfcdae6db3ef4cceb2322c166bb3093e45aab7fe68baa04c88a5c6f
                                                      • Instruction ID: 9dbb23c9ac4f1476337fc91fc913bad43934ea2171b6fc1225206c401d4bc82b
                                                      • Opcode Fuzzy Hash: 7d1fe59aabfcdae6db3ef4cceb2322c166bb3093e45aab7fe68baa04c88a5c6f
                                                      • Instruction Fuzzy Hash: 4CF06271405284AAE7119E1ACC84B66FFE8EB81634F18C55AED085F286C3789844CAB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Analysis Process: dhcpmon.exe PID: 6780 Parent PID: 5820 dhcpmon.exeCOMMON

                                                      Executed Functions

                                                      Function 02D5B6C0, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 02D5B730
                                                      • GetCurrentThread.KERNEL32 ref: 02D5B76D
                                                      • GetCurrentProcess.KERNEL32 ref: 02D5B7AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 02D5B803
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 98c05a7a1feca7d9f7320e89b8b00987ebdc6974675dd39848e3bed9ef9e16a9
                                                      • Instruction ID: b543c2328fec197a00aeda59301a2749fcac6be705aa68b21cf566e7182a934b
                                                      • Opcode Fuzzy Hash: 98c05a7a1feca7d9f7320e89b8b00987ebdc6974675dd39848e3bed9ef9e16a9
                                                      • Instruction Fuzzy Hash: 6C5154B0E007599FDB10CFAAD688BDEBBF0AF48318F24845AE459A7350D7785844CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D5B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 02D5B730
                                                      • GetCurrentThread.KERNEL32 ref: 02D5B76D
                                                      • GetCurrentProcess.KERNEL32 ref: 02D5B7AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 02D5B803
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: d3f79552e4041beee02bdd2b46f5ba91276d2656e5f7d8a48de8dcf1bb08a323
                                                      • Instruction ID: 1111695e9102a61290af23ccd171dc3476fbb140e85fd0368d36de498f3a7b33
                                                      • Opcode Fuzzy Hash: d3f79552e4041beee02bdd2b46f5ba91276d2656e5f7d8a48de8dcf1bb08a323
                                                      • Instruction Fuzzy Hash: 245154B0E007598FDB10CFAAC688BDEBBF1AF48318F24845AE419A7350D7785844CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 054117E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 35606d33875e50bcca0d2bf429e2638ec0809010b8cb28d3980acfd8a99c6a44
                                                      • Instruction ID: 5605fbe510ba66bce55be9e8f2ed8df2c55c9d10f863f55d3a68aee8373eb91e
                                                      • Opcode Fuzzy Hash: 35606d33875e50bcca0d2bf429e2638ec0809010b8cb28d3980acfd8a99c6a44
                                                      • Instruction Fuzzy Hash: C4223278E08205CFCB18DB95D588AFEBBB2FB49310F148557DE12AB354C7B4A841CB69
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541E190, Relevance: 1.7, APIs: 1, Instructions: 219threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 0541E289
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: CurrentThread
                                                      • String ID:
                                                      • API String ID: 2882836952-0
                                                      • Opcode ID: aad99c5495dce64f76f0cbff6ff056fd58fe90c132f031172da52389dda4c3d4
                                                      • Instruction ID: e552e88669003321f4c27e534a70e25ea0ee093e3ac96aecaf888d6048f138e5
                                                      • Opcode Fuzzy Hash: aad99c5495dce64f76f0cbff6ff056fd58fe90c132f031172da52389dda4c3d4
                                                      • Instruction Fuzzy Hash: 35818674E002588FDB14DFA5C454AEEBFFAAF88304F14846AD805AB350DB749846CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D593E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02D5962E
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 46a78af575d060cfdf09828188a11b452a4b2756bdc177461038367899d87483
                                                      • Instruction ID: d867d40c7288cec1d06d881bd2a4aff7747839e16c4e917c7e51cd8689f613e0
                                                      • Opcode Fuzzy Hash: 46a78af575d060cfdf09828188a11b452a4b2756bdc177461038367899d87483
                                                      • Instruction Fuzzy Hash: 5E711470A00B158FDB64DF2AC45079ABBF5FF88244F008A2DD98AD7B50DB74E845CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541E179, Relevance: 1.6, APIs: 1, Instructions: 144threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 0541E289
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: CurrentThread
                                                      • String ID:
                                                      • API String ID: 2882836952-0
                                                      • Opcode ID: 4cda0c639997901132de7b53476117fdf91559de434f9c74820f0e04a58e821b
                                                      • Instruction ID: 3310f6824af678e0da08fa79aba62310d76f148205a11faf4cab98bcb11613ab
                                                      • Opcode Fuzzy Hash: 4cda0c639997901132de7b53476117fdf91559de434f9c74820f0e04a58e821b
                                                      • Instruction Fuzzy Hash: 2B519935D002588FDF15DFA5C850BEEBFBABF84304F14856AD805AB360DB749846CB64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D5FB61, Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D5FD0A
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 4eeb91b09c8b4feff19fac863c596db9e5ad6e9471cdf228c3830d41692a8d33
                                                      • Instruction ID: 79c8c164ea4647f37ef66b8da256fcadcb34d3542a6c0c59e3c8a6d8576743b5
                                                      • Opcode Fuzzy Hash: 4eeb91b09c8b4feff19fac863c596db9e5ad6e9471cdf228c3830d41692a8d33
                                                      • Instruction Fuzzy Hash: 9351F0B1D043599FDF14CFA9D880ADEBBB1BF49314F24826AE808AB211D774A845CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D5FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02D5FD0A
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 0628c652cd2fa0e9438631ac3ebab61f06d60c9979bcc4bde4bf961816ea7b3f
                                                      • Instruction ID: 96c8fa4601d7bcc5c283372c53057693348db284a67131aab9d33971d35de4f8
                                                      • Opcode Fuzzy Hash: 0628c652cd2fa0e9438631ac3ebab61f06d60c9979bcc4bde4bf961816ea7b3f
                                                      • Instruction Fuzzy Hash: C1419FB1D003199FDF14CFA9D984ADEBBB5FF49314F24822AE819AB210D7B49945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 054145F4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 054146B1
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: f0f9a6564810628ab74a0ab2b08fa89175847e7971f35deb57ec4eac5dfa0627
                                                      • Instruction ID: 560adf3c13a677a200b7f84d3a6b4c9493d2e2a7965bb362b534c6ae804917e7
                                                      • Opcode Fuzzy Hash: f0f9a6564810628ab74a0ab2b08fa89175847e7971f35deb57ec4eac5dfa0627
                                                      • Instruction Fuzzy Hash: 554112B1C00219CFDF24DFA9C884BCEBBB1BF49304F25806AD418AB251DBB46946CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05413474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 054146B1
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 600b7425cf34f2930f64f9f69ece805e38fc1f26b1cdfd1e3758b5111b1dfae4
                                                      • Instruction ID: e73b2e02b7790a62418a448cd8d08719e5d413336f673f5b96306cf29767b4e7
                                                      • Opcode Fuzzy Hash: 600b7425cf34f2930f64f9f69ece805e38fc1f26b1cdfd1e3758b5111b1dfae4
                                                      • Instruction Fuzzy Hash: 5A4113B0C04218CFDF20DFA9C8847CEBBB1BF49308F20806AD409AB251DBB45946CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05412470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05412531
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: 0b2f1dce6e2b95085932372c7f5f5c050d4b97c0e8571a2ae40a472882c5ac7f
                                                      • Instruction ID: b48b971689a93e3f3cdbd68ea3f71e11d7c040cdc18d998b8bc25b1cdfe49e0b
                                                      • Opcode Fuzzy Hash: 0b2f1dce6e2b95085932372c7f5f5c050d4b97c0e8571a2ae40a472882c5ac7f
                                                      • Instruction Fuzzy Hash: F6411AB8A042058FDB14CF99C488BAABBF6FF88314F148559D919A7321D774A841CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541B898, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateFromIconResource
                                                      • String ID:
                                                      • API String ID: 3668623891-0
                                                      • Opcode ID: 940daa8b711c78e6de7fd1e50812038d63ec1c3be9ad32dc028b34be8af5e3e2
                                                      • Instruction ID: ac5a6fee545a53d7a143d78e4af98753c7f01305686d42a14fbb50a38a81c396
                                                      • Opcode Fuzzy Hash: 940daa8b711c78e6de7fd1e50812038d63ec1c3be9ad32dc028b34be8af5e3e2
                                                      • Instruction Fuzzy Hash: E6319C719043899FCB01CFAAD844ADEBFF8EF09310F08806AF954AB221C3359950DFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541E6B0, Relevance: 1.6, APIs: 1, Instructions: 65windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,02D253E8,00000000,?), ref: 0541E73D
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: 01312bb3925a753224f4952c9d11c88cc75a98fc5f96e186785b463b8356dd57
                                                      • Instruction ID: 615b434f3b6ea6c8162cf60e03ab0dbc9a95a02e097264048adf95f009c247cc
                                                      • Opcode Fuzzy Hash: 01312bb3925a753224f4952c9d11c88cc75a98fc5f96e186785b463b8356dd57
                                                      • Instruction Fuzzy Hash: C8219AB18043498FDB10CFA9C845BEEBFF4EF09320F14816AD8A4A3241D378A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D5BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D5BD87
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 98c8133b7e0d5148f99750796084091d80e8e80a5a688f6ef9dc2e47cbc47596
                                                      • Instruction ID: 4b74c1e2a66332fa0aa38b3e9f7862a9dfbb3b91d7ab1846ecffadf4d7f26e75
                                                      • Opcode Fuzzy Hash: 98c8133b7e0d5148f99750796084091d80e8e80a5a688f6ef9dc2e47cbc47596
                                                      • Instruction Fuzzy Hash: 8821E5B59002599FDB10CFA9D984BDEBFF4EB48324F14845AE954A3310D378A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D5BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D5BD87
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 1d6c0e2ebb9179be1c603523dfc66a93d6e5e00dc2583b54f43441f052fed967
                                                      • Instruction ID: e879c099950a5b8d0eed439fb294e9fbd342652860e8e2f4bace2eb300a8c7c9
                                                      • Opcode Fuzzy Hash: 1d6c0e2ebb9179be1c603523dfc66a93d6e5e00dc2583b54f43441f052fed967
                                                      • Instruction Fuzzy Hash: 8421C4B59002599FDB10CF9AD984BDEBFF8EB48324F14841AE955A3310D378A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541A504, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0541B8B2,?,?,?,?,?), ref: 0541B957
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateFromIconResource
                                                      • String ID:
                                                      • API String ID: 3668623891-0
                                                      • Opcode ID: 0a8948ff86aa149358e39c6a1eb8d0993badc069f40f3f7fec4067b417d3bd0c
                                                      • Instruction ID: da866aa72336b64329df5f981fecb2c55b6da3399f9597dcb10f270f14a72cf9
                                                      • Opcode Fuzzy Hash: 0a8948ff86aa149358e39c6a1eb8d0993badc069f40f3f7fec4067b417d3bd0c
                                                      • Instruction Fuzzy Hash: EC1156B18002499FDB10CF9AD844BDEBFF8EB48320F14841AE955A3210C378A950DFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D58768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D596A9,00000800,00000000,00000000), ref: 02D598BA
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 6fda3118c4a95390448b90bca8f1c41d54cd6e352621b68c68ae0bdb87bc6378
                                                      • Instruction ID: c9efb545f61009d56de2aa776108670e8ea3caf9ee6f526c71449ca0b45ce941
                                                      • Opcode Fuzzy Hash: 6fda3118c4a95390448b90bca8f1c41d54cd6e352621b68c68ae0bdb87bc6378
                                                      • Instruction Fuzzy Hash: 211103B6900259DFDB10CF9AD444BDEBBF4EB48324F04852EE919A7700C3B8A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D59849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D596A9,00000800,00000000,00000000), ref: 02D598BA
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 62815362990c1d2d283c0a99ddaf1578c8cf94b5154cc2a12dc7d5bb309e4aae
                                                      • Instruction ID: f0009244025a26c5916638b57c37f5a6b068e5d1ff5d351d67552b416ff37eb5
                                                      • Opcode Fuzzy Hash: 62815362990c1d2d283c0a99ddaf1578c8cf94b5154cc2a12dc7d5bb309e4aae
                                                      • Instruction Fuzzy Hash: FA1106B5D002499FDB10CFAAD444BDEBFF4AB49314F04852ED815A7300C378A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 054132D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,02D253E8,00000000,?), ref: 0541E73D
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: 58ee119022bb22f504de236ef289bd95f8b8c6b1f4131b7244fb27d892874555
                                                      • Instruction ID: ebbdb4cd1d8953fb3a3d790ff37d4bb33f5f793fd1cd6a8eee8c4a57f0506162
                                                      • Opcode Fuzzy Hash: 58ee119022bb22f504de236ef289bd95f8b8c6b1f4131b7244fb27d892874555
                                                      • Instruction Fuzzy Hash: 091116B58002499FDB10CF99C885BEEBFF8EB48320F14841AE954A3340D378A954CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541D238, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000018,00000001,?), ref: 0541D29D
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: bd0004fd32d28a85c305a8b3107b725c1a6862624071b768a6cba93f18f07740
                                                      • Instruction ID: 6f4aacf2b3caae1975363b6f0d10e7314a90c8db9db476de77fa854fd49b3b74
                                                      • Opcode Fuzzy Hash: bd0004fd32d28a85c305a8b3107b725c1a6862624071b768a6cba93f18f07740
                                                      • Instruction Fuzzy Hash: F811F2B58002499FDB10CF99D884BDEBFF8FB48324F14881AE958A7700C378A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02D5962E
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: d0ef6cbcb40bd809b9b5dca63fd56a0f1ecbf6deac212773166d9345bc145fe8
                                                      • Instruction ID: 111394b73ace6e006ccead37d7074bb2f5e53c8cb494febcd98734632af6c55e
                                                      • Opcode Fuzzy Hash: d0ef6cbcb40bd809b9b5dca63fd56a0f1ecbf6deac212773166d9345bc145fe8
                                                      • Instruction Fuzzy Hash: 881110B5C006998FDB10CF9AC444BDEFBF4EF88224F14852AD819A7300D3B8A549CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05411540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0541226A,?,00000000,?), ref: 0541C435
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 5598a216d7365e321374e1645979a094d4b022131cbd5a2e75586721f38e5165
                                                      • Instruction ID: d03f87f3e6e84afd4acbf171f079f1f966e3a09c22f0129d6cbb875bb88bd769
                                                      • Opcode Fuzzy Hash: 5598a216d7365e321374e1645979a094d4b022131cbd5a2e75586721f38e5165
                                                      • Instruction Fuzzy Hash: C11103B58047499FDB10CF99D884BEEBFF8EB58324F14841AE959A7700D378A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 0541BCBD
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 30a6b925f8005ec2295612a50adea5546c3e4e1507bad9deba94554f56513fab
                                                      • Instruction ID: f04a30ec3247d1a3a1b1758608a55e770ae5eb125d11a59144bf3833bc2a3739
                                                      • Opcode Fuzzy Hash: 30a6b925f8005ec2295612a50adea5546c3e4e1507bad9deba94554f56513fab
                                                      • Instruction Fuzzy Hash: C011F2B58007499FDB10DF99D988BDEBBF8EB48320F14841AE955A7300D379A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 054150D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000018,00000001,?), ref: 0541D29D
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: afbbaabfb428e78a84efd532b4ec768a5a4551285bdf8fafb412a157806cba9f
                                                      • Instruction ID: bd74748686a36f989515c0b35e493504681b65fa9c68d42631647b12e9e6b1cd
                                                      • Opcode Fuzzy Hash: afbbaabfb428e78a84efd532b4ec768a5a4551285bdf8fafb412a157806cba9f
                                                      • Instruction Fuzzy Hash: 661103B58003499FDB10CF9AD884BDEBBF8EB48320F14841AE955A7300D378A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541C3D0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0541226A,?,00000000,?), ref: 0541C435
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: 2a93f97bbc4dd9cc23b9a65593c378e27c7a385c3c32b7b2a11975626444f7cb
                                                      • Instruction ID: bf5c302e16a440784a6c95386f7a47a11d7a651e3a06d8d7b3342cecdb8fef4c
                                                      • Opcode Fuzzy Hash: 2a93f97bbc4dd9cc23b9a65593c378e27c7a385c3c32b7b2a11975626444f7cb
                                                      • Instruction Fuzzy Hash: 781103B58006499FDB10CF99C885BDEBFF8FB48324F54885AE958A7700C374A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541F3D8, Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 0541F435
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID:
                                                      • API String ID: 2538663250-0
                                                      • Opcode ID: 906d1260331b1006e0be173a7fe1f558b83d9d78f4eb29af69d397f40df407ef
                                                      • Instruction ID: 9e6c582b9fabf9b858f04fcea99390eff7481226c347976061346f2a91a8a41f
                                                      • Opcode Fuzzy Hash: 906d1260331b1006e0be173a7fe1f558b83d9d78f4eb29af69d397f40df407ef
                                                      • Instruction Fuzzy Hash: 501145B18002489FDB10CFA9D588BCEFFF8EB48324F15852AD559A3300D378A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D5FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 02D5FE9D
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: b11736bc5011f0eb299258564e30b4fdd93c41a801f8013f27a8135e46061786
                                                      • Instruction ID: 32a2b6e67415f7305d5a96edde72ae0554d1643d7b93409e809822ac35701ad8
                                                      • Opcode Fuzzy Hash: b11736bc5011f0eb299258564e30b4fdd93c41a801f8013f27a8135e46061786
                                                      • Instruction Fuzzy Hash: 4E1133B58003489FDB10CF99D585BDEBFF8EB88324F14841AE858A7301C374A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541BC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000), ref: 0541BCBD
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: eb3682f5283e3209f70ec7bf980ecb673c0ba5c205869de381b565fdc878660d
                                                      • Instruction ID: a1b4030598a73c2bea84b7c074a84dd2b6c6db0e27f577b1dae859ccf296539c
                                                      • Opcode Fuzzy Hash: eb3682f5283e3209f70ec7bf980ecb673c0ba5c205869de381b565fdc878660d
                                                      • Instruction Fuzzy Hash: A111F2B58006499FDB10CF99D888BDEBBF8EB48320F14841AE958A7300D374A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0541DC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 0541F435
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.773626741.0000000005410000.00000040.00000001.sdmp, Offset: 05410000, based on PE: false
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID:
                                                      • API String ID: 2538663250-0
                                                      • Opcode ID: b8b57aa0542eaf5093b1232f89c00e2e999631546f50bf7460ea859714ceec34
                                                      • Instruction ID: 71ad24b7e0a1768583ba4a23c7f52ddb37522a649bae77d0387d50d1a12b9308
                                                      • Opcode Fuzzy Hash: b8b57aa0542eaf5093b1232f89c00e2e999631546f50bf7460ea859714ceec34
                                                      • Instruction Fuzzy Hash: 401145B09042489FDB10CF99D488BDEBBF4EB48324F14845AD959A3300D378A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02D5FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 02D5FE9D
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772588292.0000000002D50000.00000040.00000001.sdmp, Offset: 02D50000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: 5bf75e5030fdb0eed309c5e18d0e6ed34ae51ce030e8b0b51849a0c3edee9ead
                                                      • Instruction ID: 9487ac345d813ccc7414556b5ddd7847f3dd65199c5f009e48839bd938718e9d
                                                      • Opcode Fuzzy Hash: 5bf75e5030fdb0eed309c5e18d0e6ed34ae51ce030e8b0b51849a0c3edee9ead
                                                      • Instruction Fuzzy Hash: 071123B58002499FDB10CF9AD584BDFFBF8EB48324F14851AE958A7700C3B8A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0135D4A0, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772107431.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40a605f8e0af23e4fa85199f69a35d0dcb43435338dc778ab8d85b2981c10815
                                                      • Instruction ID: e08949802cd8ef35fe26ba59b5ca69a3a93c582e42b87efb47010aca2d1ba6cc
                                                      • Opcode Fuzzy Hash: 40a605f8e0af23e4fa85199f69a35d0dcb43435338dc778ab8d85b2981c10815
                                                      • Instruction Fuzzy Hash: C12145B1504244DFEB41CF84D8C0F66BF65FB8872CF248A69ED054B206C336E856CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0136D01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772144643.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a320fe72968656c81e09d7bccd9e894c4ff2679dfd674510e331832abcade90e
                                                      • Instruction ID: 9eae2cdf85234a384a61bbd42edfb7fae24c08a6fa46663388bce5277f367543
                                                      • Opcode Fuzzy Hash: a320fe72968656c81e09d7bccd9e894c4ff2679dfd674510e331832abcade90e
                                                      • Instruction Fuzzy Hash: 7C213771604244DFDB11CF54D8C0B26BB69FB84358F24C669D9894B24AC337D807CA61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0135D49B, Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772107431.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                                      • Instruction ID: 72d18b1b8b59990069ce704f8c5207a571c3194271c8773d41a57bfcc50a3cd3
                                                      • Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                                      • Instruction Fuzzy Hash: F111BE76804280DFDB16CF58D9C4B16BF71FB84728F2886A9DD054B617C33AD45ACBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0136D017, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000011.00000002.772144643.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
                                                      • Instruction ID: 27a98019074343a47b0564506f197995e3afc64090d38099615277dc8fc563cf
                                                      • Opcode Fuzzy Hash: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
                                                      • Instruction Fuzzy Hash: C9119075504280DFDB12CF54D5C4B15FF71FB84318F24C6AAD8494B65AC33AD45ACB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions