Play interactive tour

Edit tour

Analysis Report Copyofreceipt.scr

Overview

General Information

Sample Name:	Copyofreceipt.scr (renamed file extension from scr to exe)
Analysis ID:	356658
MD5:	6f9340718bf2defbdb4b438d80857fb3
SHA1:	ddfe78ec1db2fbec98ee87235938223360bae49d
SHA256:	26b8405b53da2fa69471859793721f24e5c407bb4d2af8537e21e244c4363f55
Tags:	AgentTeslascr
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Copyofreceipt.exe (PID: 6436 cmdline: 'C:\Users\user\Desktop\Copyofreceipt.exe' MD5: 6F9340718BF2DEFBDB4B438D80857FB3)

schtasks.exe (PID: 6568 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Copyofreceipt.exe (PID: 6612 cmdline: C:\Users\user\Desktop\Copyofreceipt.exe MD5: 6F9340718BF2DEFBDB4B438D80857FB3)

Copyofreceipt.exe (PID: 6620 cmdline: C:\Users\user\Desktop\Copyofreceipt.exe MD5: 6F9340718BF2DEFBDB4B438D80857FB3)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "3ZVFxxx2W", "URL: ": "https://0SOrICva3tdSq4g.net", "To: ": "zenovia@ccglass.co.za", "ByHost: ": "mail.ccglass.co.za:587", "Password: ": "BKDXwAbUo", "From: ": "zenovia@ccglass.co.za"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.217719267.0000000002971000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Copyofreceipt.exe PID: 6620	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Copyofreceipt.exe PID: 6620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Copyofreceipt.exe PID: 6436	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Copyofreceipt.exe PID: 6436	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.Copyofreceipt.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Copyofreceipt.exe.2999eac.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Copyofreceipt.exe.3c3c800.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Copyofreceipt.exe.3c3c800.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Copyofreceipt.exe.3aded30.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Copyofreceipt.exe.3b3c750.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Copyofreceipt.exe.29d317c.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Copyofreceipt.exe' , ParentImage: C:\Users\user\Desktop\Copyofreceipt.exe, ParentProcessId: 6436, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp', ProcessId: 6568

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Copyofreceipt.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe

Avira: detection malicious, Label: HEUR/AGEN.1138558

Found malware configuration

Show sources

Source: Copyofreceipt.exe.6620.5.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "3ZVFxxx2W", "URL: ": "https://0SOrICva3tdSq4g.net", "To: ": "zenovia@ccglass.co.za", "ByHost: ": "mail.ccglass.co.za:587", "Password: ": "BKDXwAbUo", "From: ": "zenovia@ccglass.co.za"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe

ReversingLabs: Detection: 10%

Multi AV Scanner detection for submitted file

Show sources

Source: Copyofreceipt.exe

ReversingLabs: Detection: 10%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Copyofreceipt.exe

Joe Sandbox ML: detected

Source: 5.2.Copyofreceipt.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: Copyofreceipt.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Copyofreceipt.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		0_2_0714E860
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		0_2_0714E84F

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49740 -> 102.130.118.207:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49741 -> 102.130.118.207:587

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://0SOrICva3tdSq4g.net

Source: global traffic

TCP traffic: 192.168.2.3:49740 -> 102.130.118.207:587

Source: global traffic

TCP traffic: 192.168.2.3:49740 -> 102.130.118.207:587

Source: unknown

DNS traffic detected: queries for: mail.ccglass.co.za

Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Copyofreceipt.exe, 00000005.00000002.470932330.00000000033A6000.00000004.00000001.sdmp	String found in binary or memory: http://ccglass.co.za
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Copyofreceipt.exe, 00000005.00000002.470932330.00000000033A6000.00000004.00000001.sdmp	String found in binary or memory: http://mail.ccglass.co.za
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	String found in binary or memory: http://zJtUrL.com
Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	String found in binary or memory: https://0SOrICva3tdSq4g.net
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Copyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, Copyofreceipt.exe, 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 5.2.Copyofreceipt.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA127015Au002dD413u002d43E5u002dBE45u002dE3525638B3FDu007d/u0034417B756u002d20ACu002d480Bu002d9C23u002dF4A6397749FA.cs

Large array initialization: .cctor: array initializer size 11933

.NET source code contains very large strings

Show sources

Source: Copyofreceipt.exe, frmlogin.cs	Long String: Length: 13656
Source: ZnTVKjXRZvpJV.exe.0.dr, frmlogin.cs	Long String: Length: 13656
Source: 0.0.Copyofreceipt.exe.650000.0.unpack, frmlogin.cs	Long String: Length: 13656
Source: 0.2.Copyofreceipt.exe.650000.0.unpack, frmlogin.cs	Long String: Length: 13656
Source: 4.0.Copyofreceipt.exe.350000.0.unpack, frmlogin.cs	Long String: Length: 13656
Source: 4.2.Copyofreceipt.exe.350000.0.unpack, frmlogin.cs	Long String: Length: 13656
Source: 5.2.Copyofreceipt.exe.d50000.1.unpack, frmlogin.cs	Long String: Length: 13656
Source: 5.0.Copyofreceipt.exe.d50000.0.unpack, frmlogin.cs	Long String: Length: 13656

Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_00659526	0_2_00659526
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_0106C0D4	0_2_0106C0D4
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_0106E5A0	0_2_0106E5A0
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_04F247F8	0_2_04F247F8
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_04F247F2	0_2_04F247F2
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_0714C1B0	0_2_0714C1B0
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_07140040	0_2_07140040
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_07142E58	0_2_07142E58
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_07142E68	0_2_07142E68
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_07140D80	0_2_07140D80
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_07142C18	0_2_07142C18
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_07142C07	0_2_07142C07
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_0714D273	0_2_0714D273
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_0714617A	0_2_0714617A
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 4_2_00359526	4_2_00359526
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_00D59526	5_2_00D59526
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01222D50	5_2_01222D50
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_0122DF60	5_2_0122DF60
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01222768	5_2_01222768
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01221FE0	5_2_01221FE0
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_0122BAA8	5_2_0122BAA8
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_014520E0	5_2_014520E0
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01457EB8	5_2_01457EB8
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_014595F8	5_2_014595F8
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_0145EA28	5_2_0145EA28
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_014596A8	5_2_014596A8
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01540040	5_2_01540040
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01549418	5_2_01549418
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01545CDC	5_2_01545CDC
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_0154C340	5_2_0154C340
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01541780	5_2_01541780
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01544C10	5_2_01544C10
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01540006	5_2_01540006
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_0154F27A	5_2_0154F27A
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_017446A0	5_2_017446A0
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01745372	5_2_01745372
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_017435C4	5_2_017435C4
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_017445B0	5_2_017445B0

Source: Copyofreceipt.exe, 00000000.00000000.197376752.00000000006D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000000.00000002.222618081.0000000006ED0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000000.00000002.223262000.0000000007A90000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000000.00000002.223262000.0000000007A90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTXcrTtQyrOyUCSetTraHqGQSCLsAHRDhA.exe4 vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000000.00000002.223124965.00000000079A0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000004.00000000.215163381.00000000003D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000005.00000002.464492892.0000000001168000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000005.00000002.464792709.0000000001230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameTXcrTtQyrOyUCSetTraHqGQSCLsAHRDhA.exe4 vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000005.00000002.464365715.0000000000DD2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe
Source: Copyofreceipt.exe, 00000005.00000002.467174113.0000000001460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Copyofreceipt.exe
Source: Copyofreceipt.exe	Binary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe

Source: Copyofreceipt.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Copyofreceipt.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ZnTVKjXRZvpJV.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.Copyofreceipt.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Copyofreceipt.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Copyofreceipt.exe, frmlogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: ZnTVKjXRZvpJV.exe.0.dr, frmlogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.Copyofreceipt.exe.650000.0.unpack, frmlogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.Copyofreceipt.exe.650000.0.unpack, frmlogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.Copyofreceipt.exe.350000.0.unpack, frmlogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.Copyofreceipt.exe.350000.0.unpack, frmlogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.2.Copyofreceipt.exe.d50000.1.unpack, frmlogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.0.Copyofreceipt.exe.d50000.0.unpack, frmlogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/5@4/1

Source: C:\Users\user\Desktop\Copyofreceipt.exe

File created: C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01

Source: C:\Users\user\Desktop\Copyofreceipt.exe

File created: C:\Users\user\AppData\Local\Temp\tmpEC38.tmp

Jump to behavior

Source: Copyofreceipt.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Copyofreceipt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Copyofreceipt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Copyofreceipt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Copyofreceipt.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: Copyofreceipt.exe

ReversingLabs: Detection: 10%

Source: C:\Users\user\Desktop\Copyofreceipt.exe

File read: C:\Users\user\Desktop\Copyofreceipt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Copyofreceipt.exe 'C:\Users\user\Desktop\Copyofreceipt.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe
Source: unknown	Process created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe	Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Copyofreceipt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Copyofreceipt.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Copyofreceipt.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ZnTVKjXRZvpJV.exe.0.dr, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Copyofreceipt.exe.650000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Copyofreceipt.exe.650000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Copyofreceipt.exe.350000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Copyofreceipt.exe.350000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.Copyofreceipt.exe.d50000.1.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.Copyofreceipt.exe.d50000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_0714CF4A push ebx; retf	0_2_0714CF75
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_0714CF82 push ebx; retf	0_2_0714CF75
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 0_2_0714784B push esi; ret	0_2_0714784C
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_01227A37 push edi; retn 0000h	5_2_01227A39
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_0145D3C0 pushad ; retn 011Dh	5_2_0145D8E1
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Code function: 5_2_0145D938 pushad ; ret	5_2_0145D981

Source: initial sample	Static PE information: section name: .text entropy: 7.50002099302
Source: initial sample	Static PE information: section name: .text entropy: 7.50002099302

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\Copyofreceipt.exe

File created: C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp'

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\Copyofreceipt.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.217719267.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copyofreceipt.exe PID: 6436, type: MEMORY
Source: Yara match	File source: 0.2.Copyofreceipt.exe.2999eac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copyofreceipt.exe.29d317c.2.raw.unpack, type: UNPACKEDPE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Copyofreceipt.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Copyofreceipt.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Copyofreceipt.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe	Window / User API: threadDelayed 3398			Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Window / User API: threadDelayed 6457			Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe TID: 6440	Thread sleep time: -101937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe TID: 6460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe TID: 6960	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe TID: 6964	Thread sleep count: 3398 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe TID: 6964	Thread sleep count: 6457 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Copyofreceipt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Copyofreceipt.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Copyofreceipt.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\Copyofreceipt.exe

Code function: 5_2_01451840 LdrInitializeThunk,

5_2_01451840

Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Copyofreceipt.exe

Memory written: C:\Users\user\Desktop\Copyofreceipt.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Process created: C:\Users\user\Desktop\Copyofreceipt.exe C:\Users\user\Desktop\Copyofreceipt.exe	Jump to behavior

Source: Copyofreceipt.exe, 00000005.00000002.467940149.0000000001B70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Copyofreceipt.exe, 00000005.00000002.467940149.0000000001B70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Copyofreceipt.exe, 00000005.00000002.467940149.0000000001B70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Copyofreceipt.exe, 00000005.00000002.467940149.0000000001B70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Users\user\Desktop\Copyofreceipt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Users\user\Desktop\Copyofreceipt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Copyofreceipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copyofreceipt.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copyofreceipt.exe PID: 6436, type: MEMORY
Source: Yara match	File source: 5.2.Copyofreceipt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copyofreceipt.exe.3c3c800.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copyofreceipt.exe.3c3c800.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copyofreceipt.exe.3aded30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copyofreceipt.exe.3b3c750.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Copyofreceipt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Copyofreceipt.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\Copyofreceipt.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\Copyofreceipt.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Copyofreceipt.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copyofreceipt.exe PID: 6620, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copyofreceipt.exe PID: 6620, type: MEMORY
Source: Yara match	File source: Process Memory Space: Copyofreceipt.exe PID: 6436, type: MEMORY
Source: Yara match	File source: 5.2.Copyofreceipt.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copyofreceipt.exe.3c3c800.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copyofreceipt.exe.3c3c800.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copyofreceipt.exe.3aded30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Copyofreceipt.exe.3b3c750.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	Credentials in Registry1	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information31	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	Security Software Discovery321	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion14	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion14	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Copyofreceipt.exe	14%	Metadefender		Browse
Copyofreceipt.exe	11%	ReversingLabs	Win32.Trojan.Generic
Copyofreceipt.exe	100%	Avira	HEUR/AGEN.1138558
Copyofreceipt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe	100%	Avira	HEUR/AGEN.1138558
C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe	14%	Metadefender		Browse
C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe	11%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.Copyofreceipt.exe.350000.0.unpack	100%	Avira	HEUR/AGEN.1138558	Download File
0.0.Copyofreceipt.exe.650000.0.unpack	100%	Avira	HEUR/AGEN.1138558	Download File
4.2.Copyofreceipt.exe.350000.0.unpack	100%	Avira	HEUR/AGEN.1138558	Download File
5.2.Copyofreceipt.exe.d50000.1.unpack	100%	Avira	HEUR/AGEN.1138558	Download File
5.0.Copyofreceipt.exe.d50000.0.unpack	100%	Avira	HEUR/AGEN.1138558	Download File
5.2.Copyofreceipt.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
0.2.Copyofreceipt.exe.650000.0.unpack	100%	Avira	HEUR/AGEN.1138558	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://zJtUrL.com	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
https://0SOrICva3tdSq4g.net	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ccglass.co.za	102.130.118.207	true	false		high
mail.ccglass.co.za	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://0SOrICva3tdSq4g.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.ccglass.co.za	Copyofreceipt.exe, 00000005.00000002.470932330.00000000033A6000.00000004.00000001.sdmp	false		high
http://127.0.0.1:HTTP/1.1	Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://zJtUrL.com	Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false		high
http://www.fonts.com	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ccglass.co.za	Copyofreceipt.exe, 00000005.00000002.470932330.00000000033A6000.00000004.00000001.sdmp	false		high
http://www.urwpp.deDPlease	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Copyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, Copyofreceipt.exe, 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
102.130.118.207	unknown	South Africa		37153	xneeloZA	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356658
Start date:	23.02.2021
Start time:	14:23:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Copyofreceipt.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/5@4/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.9% (good quality ratio 0%) Quality average: 0% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 100% Number of executed functions: 119 Number of non-executed functions: 9
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.43.193.48, 104.43.139.144, 104.42.151.234, 51.104.144.132, 184.30.20.56, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194, 52.147.198.201 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/356658/sample/Copyofreceipt.exe

Simulations

Behavior and APIs

Time	Type	Description
14:24:03	API Interceptor	768x Sleep call for process: Copyofreceipt.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
xneeloZA	qIViYQyb0a.exe	Get hash	malicious	Browse	196.22.132.140
	aJ5e4OJb0Q.exe	Get hash	malicious	Browse	102.130.119.215
	roboforex4multisetup.exe	Get hash	malicious	Browse	156.38.206.18
	fortrade4setup.exe	Get hash	malicious	Browse	156.38.206.18
	Bank details.exe	Get hash	malicious	Browse	129.232.138.144
	iUUJykFNh2.doc	Get hash	malicious	Browse	156.38.221.244
	iUUJykFNh2.doc	Get hash	malicious	Browse	156.38.221.244
	iUUJykFNh2.doc	Get hash	malicious	Browse	156.38.221.244
	Copy__VLWEHK9R.doc	Get hash	malicious	Browse	156.38.221.244
	Copy_HJ1TCUG.doc	Get hash	malicious	Browse	156.38.221.244
	Copy_HJ1TCUG.doc	Get hash	malicious	Browse	156.38.221.244
	Copy_HJ1TCUG.doc	Get hash	malicious	Browse	156.38.221.244
	Copy_HJ1TCUG.doc	Get hash	malicious	Browse	156.38.221.244
	Scan BUYX.doc	Get hash	malicious	Browse	156.38.221.244
	Scan BUYX.doc	Get hash	malicious	Browse	156.38.221.244
	1 Total New Invoices-Monday December 14 2020.xlsm	Get hash	malicious	Browse	129.232.220.74
	eYXiYB6U8N.doc	Get hash	malicious	Browse	156.38.221.244
	dT361Rrrys.doc	Get hash	malicious	Browse	156.38.221.244
	dT361Rrrys.doc	Get hash	malicious	Browse	156.38.221.244
	eYXiYB6U8N.doc	Get hash	malicious	Browse	156.38.221.244

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Copyofreceipt.exe.log Download File
Process:	C:\Users\user\Desktop\Copyofreceipt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmpEC38.tmp Download File
Process:	C:\Users\user\Desktop\Copyofreceipt.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1646
Entropy (8bit):	5.210550125242434
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB6tn:cbh47TlNQ//rydbz9I3YODOLNdq3a
MD5:	74E5178641256500F0E9F4BA27DA611F
SHA1:	B593E71E67185FB3D8D193D54DB4B420607F8ED0
SHA-256:	BF10430D5E9B5395B43B8D368C7E6D65E7EBA962F70DB8EFA14C8A7D95C4DE07
SHA-512:	B8FBC809F5FF30590BDDEC3CC49D71EC7F26FA15400CD0609F9A46BC0E10C7778D046790669F87C1645C5C86B941A433E7E58629F3212B61D16906CF18B7AAF0
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe Download File
Process:	C:\Users\user\Desktop\Copyofreceipt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	519168
Entropy (8bit):	7.487602713055043
Encrypted:	false
SSDEEP:	12288:NLY7TvkxZKBvCEVUGcRjH162O4KmWcZKU:NLY0KBvRUVRjygn
MD5:	6F9340718BF2DEFBDB4B438D80857FB3
SHA1:	DDFE78EC1DB2FBEC98EE87235938223360BAE49D
SHA-256:	26B8405B53DA2FA69471859793721F24E5C407BB4D2AF8537E21E244C4363F55
SHA-512:	D971042A10A141CB876D2AE3A69EBC7B9CFB740238B83FC59424344B15C2D9BAA09C624A925878C6A5E9E9DE8F36CEF34D49A6AA65B5A729D4AA56DA4A112B82
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 11%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3`..............P.................. ... ....@.. .......................`............@.................................T...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......8Y...T..............@R............................................( ...&..(!.....s"........s#........s$........s%........s&...........0...........~....o'....+...0...........~....o(....+...0...........~....o)....+...0...........~....o....+...0...........~....o+....+...0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+...0...........~.....+.."........0..&........(....r)..p~....o0...(1.....t$....+..Vs....(2...t...........(3...*.0..........

C:\Users\user\AppData\Roaming\ZnTVKjXRZvpJV.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Copyofreceipt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\nnze0rrb.c0s\Chrome\Default\Cookies Download File
Process:	C:\Users\user\Desktop\Copyofreceipt.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.487602713055043
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Copyofreceipt.exe
File size:	519168
MD5:	6f9340718bf2defbdb4b438d80857fb3
SHA1:	ddfe78ec1db2fbec98ee87235938223360bae49d
SHA256:	26b8405b53da2fa69471859793721f24e5c407bb4d2af8537e21e244c4363f55
SHA512:	d971042a10a141cb876d2ae3a69ebc7b9cfb740238b83fc59424344b15c2d9baa09c624a925878c6a5e9e9de8f36cef34d49a6aa65b5a729d4aa56da4a112b82
SSDEEP:	12288:NLY7TvkxZKBvCEVUGcRjH162O4KmWcZKU:NLY0KBvRUVRjygn
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3`..............P.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4800a6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6033EEFF [Mon Feb 22 17:50:55 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x80054	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x82000	0x5d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x84000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7e0ac	0x7e200	False	0.7782941805	data	7.50002099302	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x82000	0x5d8	0x600	False	0.430338541667	data	4.15623906597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x84000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x82090	0x348	data
RT_MANIFEST	0x823e8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Microsoft 2014
Assembly Version	1.0.0.0
InternalName	PEFileKinds.exe
FileVersion	1.0.0.0
CompanyName	Microsoft
LegalTrademarks
Comments
ProductName	WinClient
ProductVersion	1.0.0.0
FileDescription	WinClient
OriginalFilename	PEFileKinds.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-14:25:51.269518	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49740	587	192.168.2.3	102.130.118.207
02/23/21-14:25:56.000105	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49741	587	192.168.2.3	102.130.118.207

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 14:25:47.920284986 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:48.148248911 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:48.148458958 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:49.477054119 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:49.477432966 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:49.707827091 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:49.710621119 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:49.940865993 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:49.942033052 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:50.211505890 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:50.563543081 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:50.564824104 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:50.800438881 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:50.801060915 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:51.031137943 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:51.031786919 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:51.264789104 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:51.265007973 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:51.269517899 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:51.270486116 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:51.270754099 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:51.271147013 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:51.503815889 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:51.503869057 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:51.566407919 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:51.613913059 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:52.692764044 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:52.924814939 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:52.924942970 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:52.926065922 CET	49740	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:53.157072067 CET	587	49740	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:53.214193106 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:53.440908909 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:53.442802906 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:54.212846041 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:54.213403940 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:54.440181971 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:54.440823078 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:54.682852983 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:54.683886051 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:54.945940018 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:54.946572065 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:55.203639030 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:55.203978062 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:55.593511105 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:55.653441906 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:55.653920889 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:55.996579885 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:55.997186899 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:55.999504089 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:56.000104904 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:56.000286102 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:56.000529051 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:56.000926018 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:56.001089096 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:56.001279116 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:56.001478910 CET	49741	587	192.168.2.3	102.130.118.207
Feb 23, 2021 14:25:56.345427036 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:56.346282959 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:56.346780062 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:56.347376108 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:56.389697075 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:57.340683937 CET	587	49741	102.130.118.207	192.168.2.3
Feb 23, 2021 14:25:57.396975040 CET	49741	587	192.168.2.3	102.130.118.207

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 14:24:06.293469906 CET	49199	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:06.353530884 CET	53	49199	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:07.905133009 CET	50620	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:07.953888893 CET	53	50620	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:08.865890980 CET	64938	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:08.917666912 CET	53	64938	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:09.805881023 CET	60152	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:09.858961105 CET	53	60152	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:10.826489925 CET	57544	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:10.876769066 CET	53	57544	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:11.773478985 CET	55984	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:11.826736927 CET	53	55984	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:13.191037893 CET	64185	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:13.239675999 CET	53	64185	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:15.075582027 CET	65110	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:15.127912998 CET	53	65110	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:16.280759096 CET	58361	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:16.329624891 CET	53	58361	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:17.238226891 CET	63492	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:17.297549963 CET	53	63492	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:23.219616890 CET	60831	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:23.284632921 CET	53	60831	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:24.249520063 CET	60100	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:24.298491001 CET	53	60100	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:24.907696009 CET	53195	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:24.958107948 CET	53	53195	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:29.836438894 CET	50141	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:29.898005962 CET	53	50141	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:40.570148945 CET	53023	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:40.618855000 CET	53	53023	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:42.166326046 CET	49563	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:42.226610899 CET	53	49563	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:43.522676945 CET	51352	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:43.574994087 CET	53	51352	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:44.397749901 CET	59349	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:44.472640991 CET	53	59349	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:46.855901957 CET	57084	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:46.904716015 CET	53	57084	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:47.163440943 CET	58823	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:47.228372097 CET	53	58823	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:47.901654005 CET	57568	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:47.950432062 CET	53	57568	8.8.8.8	192.168.2.3
Feb 23, 2021 14:24:49.088057995 CET	50540	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:24:49.137070894 CET	53	50540	8.8.8.8	192.168.2.3
Feb 23, 2021 14:25:01.407572985 CET	54366	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:25:01.456485033 CET	53	54366	8.8.8.8	192.168.2.3
Feb 23, 2021 14:25:07.370172977 CET	53034	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:25:07.431126118 CET	53	53034	8.8.8.8	192.168.2.3
Feb 23, 2021 14:25:12.358786106 CET	57762	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:25:12.412118912 CET	53	57762	8.8.8.8	192.168.2.3
Feb 23, 2021 14:25:36.036636114 CET	55435	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:25:36.085448980 CET	53	55435	8.8.8.8	192.168.2.3
Feb 23, 2021 14:25:38.032072067 CET	50713	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:25:38.103945017 CET	53	50713	8.8.8.8	192.168.2.3
Feb 23, 2021 14:25:47.658164978 CET	56132	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:25:47.726969957 CET	53	56132	8.8.8.8	192.168.2.3
Feb 23, 2021 14:25:47.741564989 CET	58987	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:25:47.805444956 CET	53	58987	8.8.8.8	192.168.2.3
Feb 23, 2021 14:25:52.978311062 CET	56579	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:25:53.050185919 CET	53	56579	8.8.8.8	192.168.2.3
Feb 23, 2021 14:25:53.095804930 CET	60633	53	192.168.2.3	8.8.8.8
Feb 23, 2021 14:25:53.211267948 CET	53	60633	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 14:25:47.658164978 CET	192.168.2.3	8.8.8.8	0x1aee	Standard query (0)	mail.ccglass.co.za	A (IP address)	IN (0x0001)
Feb 23, 2021 14:25:47.741564989 CET	192.168.2.3	8.8.8.8	0x4a49	Standard query (0)	mail.ccglass.co.za	A (IP address)	IN (0x0001)
Feb 23, 2021 14:25:52.978311062 CET	192.168.2.3	8.8.8.8	0x8a79	Standard query (0)	mail.ccglass.co.za	A (IP address)	IN (0x0001)
Feb 23, 2021 14:25:53.095804930 CET	192.168.2.3	8.8.8.8	0xb063	Standard query (0)	mail.ccglass.co.za	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 14:25:47.726969957 CET	8.8.8.8	192.168.2.3	0x1aee	No error (0)	mail.ccglass.co.za	ccglass.co.za		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 14:25:47.726969957 CET	8.8.8.8	192.168.2.3	0x1aee	No error (0)	ccglass.co.za		102.130.118.207	A (IP address)	IN (0x0001)
Feb 23, 2021 14:25:47.805444956 CET	8.8.8.8	192.168.2.3	0x4a49	No error (0)	mail.ccglass.co.za	ccglass.co.za		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 14:25:47.805444956 CET	8.8.8.8	192.168.2.3	0x4a49	No error (0)	ccglass.co.za		102.130.118.207	A (IP address)	IN (0x0001)
Feb 23, 2021 14:25:53.050185919 CET	8.8.8.8	192.168.2.3	0x8a79	No error (0)	mail.ccglass.co.za	ccglass.co.za		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 14:25:53.050185919 CET	8.8.8.8	192.168.2.3	0x8a79	No error (0)	ccglass.co.za		102.130.118.207	A (IP address)	IN (0x0001)
Feb 23, 2021 14:25:53.211267948 CET	8.8.8.8	192.168.2.3	0xb063	No error (0)	mail.ccglass.co.za	ccglass.co.za		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 14:25:53.211267948 CET	8.8.8.8	192.168.2.3	0xb063	No error (0)	ccglass.co.za		102.130.118.207	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 23, 2021 14:25:49.477054119 CET	587	49740	102.130.118.207	192.168.2.3	220-cp25-za1.host-ww.net ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 15:25:48 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 23, 2021 14:25:49.477432966 CET	49740	587	192.168.2.3	102.130.118.207	EHLO 609290
Feb 23, 2021 14:25:49.707827091 CET	587	49740	102.130.118.207	192.168.2.3	250-cp25-za1.host-ww.net Hello 609290 [84.17.52.38] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 23, 2021 14:25:49.710621119 CET	49740	587	192.168.2.3	102.130.118.207	AUTH login emVub3ZpYUBjY2dsYXNzLmNvLnph
Feb 23, 2021 14:25:49.940865993 CET	587	49740	102.130.118.207	192.168.2.3	334 UGFzc3dvcmQ6
Feb 23, 2021 14:25:50.563543081 CET	587	49740	102.130.118.207	192.168.2.3	235 Authentication succeeded
Feb 23, 2021 14:25:50.564824104 CET	49740	587	192.168.2.3	102.130.118.207	MAIL FROM:<zenovia@ccglass.co.za>
Feb 23, 2021 14:25:50.800438881 CET	587	49740	102.130.118.207	192.168.2.3	250 OK
Feb 23, 2021 14:25:50.801060915 CET	49740	587	192.168.2.3	102.130.118.207	RCPT TO:<zenovia@ccglass.co.za>
Feb 23, 2021 14:25:51.031137943 CET	587	49740	102.130.118.207	192.168.2.3	250 Accepted
Feb 23, 2021 14:25:51.031786919 CET	49740	587	192.168.2.3	102.130.118.207	DATA
Feb 23, 2021 14:25:51.265007973 CET	587	49740	102.130.118.207	192.168.2.3	354 Enter message, ending with "." on a line by itself
Feb 23, 2021 14:25:51.271147013 CET	49740	587	192.168.2.3	102.130.118.207	.
Feb 23, 2021 14:25:51.566407919 CET	587	49740	102.130.118.207	192.168.2.3	250 OK id=1lEXhG-00Fa50-EY
Feb 23, 2021 14:25:52.692764044 CET	49740	587	192.168.2.3	102.130.118.207	QUIT
Feb 23, 2021 14:25:52.924814939 CET	587	49740	102.130.118.207	192.168.2.3	221 cp25-za1.host-ww.net closing connection
Feb 23, 2021 14:25:54.212846041 CET	587	49741	102.130.118.207	192.168.2.3	220-cp25-za1.host-ww.net ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 15:25:53 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 23, 2021 14:25:54.213403940 CET	49741	587	192.168.2.3	102.130.118.207	EHLO 609290
Feb 23, 2021 14:25:54.440181971 CET	587	49741	102.130.118.207	192.168.2.3	250-cp25-za1.host-ww.net Hello 609290 [84.17.52.38] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 23, 2021 14:25:54.440823078 CET	49741	587	192.168.2.3	102.130.118.207	AUTH login emVub3ZpYUBjY2dsYXNzLmNvLnph
Feb 23, 2021 14:25:54.682852983 CET	587	49741	102.130.118.207	192.168.2.3	334 UGFzc3dvcmQ6
Feb 23, 2021 14:25:54.945940018 CET	587	49741	102.130.118.207	192.168.2.3	235 Authentication succeeded
Feb 23, 2021 14:25:54.946572065 CET	49741	587	192.168.2.3	102.130.118.207	MAIL FROM:<zenovia@ccglass.co.za>
Feb 23, 2021 14:25:55.203639030 CET	587	49741	102.130.118.207	192.168.2.3	250 OK
Feb 23, 2021 14:25:55.203978062 CET	49741	587	192.168.2.3	102.130.118.207	RCPT TO:<zenovia@ccglass.co.za>
Feb 23, 2021 14:25:55.653441906 CET	587	49741	102.130.118.207	192.168.2.3	250 Accepted
Feb 23, 2021 14:25:55.653920889 CET	49741	587	192.168.2.3	102.130.118.207	DATA
Feb 23, 2021 14:25:55.997186899 CET	587	49741	102.130.118.207	192.168.2.3	354 Enter message, ending with "." on a line by itself
Feb 23, 2021 14:25:56.001478910 CET	49741	587	192.168.2.3	102.130.118.207	.
Feb 23, 2021 14:25:57.340683937 CET	587	49741	102.130.118.207	192.168.2.3	250 OK id=1lEXhL-00Fa6F-5t

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Copyofreceipt.exe PID: 6436 Parent PID: 5652

General

Start time:	14:23:57
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Copyofreceipt.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Copyofreceipt.exe'
Imagebase:	0x650000
File size:	519168 bytes
MD5 hash:	6F9340718BF2DEFBDB4B438D80857FB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.217719267.0000000002971000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6568 Parent PID: 6436

General

Start time:	14:24:05
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ZnTVKjXRZvpJV' /XML 'C:\Users\user\AppData\Local\Temp\tmpEC38.tmp'
Imagebase:	0xe00000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6576 Parent PID: 6568

General

Start time:	14:24:05
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Copyofreceipt.exe PID: 6612 Parent PID: 6436

General

Start time:	14:24:06
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Copyofreceipt.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Copyofreceipt.exe
Imagebase:	0x350000
File size:	519168 bytes
MD5 hash:	6F9340718BF2DEFBDB4B438D80857FB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Copyofreceipt.exe PID: 6620 Parent PID: 6436

General

Start time:	14:24:06
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\Copyofreceipt.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Copyofreceipt.exe
Imagebase:	0xd50000
File size:	519168 bytes
MD5 hash:	6F9340718BF2DEFBDB4B438D80857FB3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Copyofreceipt.exe PID: 6436 Parent PID: 5652 Copyofreceipt.exeCOMMON

Executed Functions

Function 07140040, Relevance: 4.6, Strings: 3, Instructions: 895COMMON

Download Yara Rule

Strings

D0l, xrefs: 07140615
D0l, xrefs: 07140515
D0l, xrefs: 07140488

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID: D0l$D0l$D0l
API String ID: 0-195073329
Opcode ID: a2c8a35ce8d4830bcf55427b524d2ed6ca31b3a3844a88232df06b615f3073f1
Instruction ID: d3448edc1db3c17057e2a54af265fbef3b8887406e2a4d34bbab3a08156c6dd1
Opcode Fuzzy Hash: a2c8a35ce8d4830bcf55427b524d2ed6ca31b3a3844a88232df06b615f3073f1
Instruction Fuzzy Hash: 837282B0A001199FCB15DF65C894AAEBBF2FF89304F1580A9E945EB391DB34DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F247F2, Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219451398.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b2e7bb5680858a40f2edd391d8d819b5f5837449e58cecd00b4f5dc3d77394
Instruction ID: 8bfe5b5b933815ac2b580a63f838ecb0861191be04c0a3044b40055589074a69
Opcode Fuzzy Hash: 64b2e7bb5680858a40f2edd391d8d819b5f5837449e58cecd00b4f5dc3d77394
Instruction Fuzzy Hash: 1C22D634A10619CFDB14EFA4C994A9DB7B1FF8A304F1181AAD50AAB364DB71AD85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 04F247F8, Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.219451398.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b24f255d852fcb281c304df159fbc48f34fb0d8a6cc1b999b0136ed862eba83
Instruction ID: 49730a0a0957ad142b7123e196637dc0f73bce81108bf5afd0a54266decc42d6
Opcode Fuzzy Hash: 5b24f255d852fcb281c304df159fbc48f34fb0d8a6cc1b999b0136ed862eba83
Instruction Fuzzy Hash: 8422D734A10619CFDB14EFB4C994A9DB7B1FF8A304F1181AAD50AAB364DB71AD85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0714D273, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f288bfebafa15bc3f1dcbbffe9b83f66bece2191657ba1eebdaa63cc3310729
Instruction ID: d167b2dd572eab877af43cbb7317b356ad83bf7906ca4e4dd869260b8464873a
Opcode Fuzzy Hash: 8f288bfebafa15bc3f1dcbbffe9b83f66bece2191657ba1eebdaa63cc3310729
Instruction Fuzzy Hash: BFB19EB0B00215CFDF15DF69D884A9DBBF5BF84314F568069E985AB2A1DB30ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0714C1B0, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f051064dec5af1057017c0e31f5ccdb4fdea1538d9fc5582a1e6efff02614b
Instruction ID: 08cd6a984d95bd82b3b66bb98669fc41d9af6b911b420de03fa63489a7a10163
Opcode Fuzzy Hash: a5f051064dec5af1057017c0e31f5ccdb4fdea1538d9fc5582a1e6efff02614b
Instruction Fuzzy Hash: 9E71F3B1D41229CFDB24DF69C8847DDB7F2BB89300F1085EAD519A6280EB745AC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0714E84F, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033f83e5067f56558da5fe878ac2e1f3fa4c1013681456130d2dccd48c783d20
Instruction ID: 314070ed3bd2a245e58307eaecbb309f3c0bd65fecf511b8e6938284f6f3152e
Opcode Fuzzy Hash: 033f83e5067f56558da5fe878ac2e1f3fa4c1013681456130d2dccd48c783d20
Instruction Fuzzy Hash: 4C2154B0D0525ADFDB14DFA5C8097EEBBF0BB0A301F14846AE401B3281D7788A48CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0714E860, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c968c1233a37d8d3d628a3664b53909bbf427de089d25e103051824abd762b2
Instruction ID: 3f362c8cf4d84ba5955eee2c41b23cdb2d520a66d24c127bddb1ecd3edd2a36f
Opcode Fuzzy Hash: 2c968c1233a37d8d3d628a3664b53909bbf427de089d25e103051824abd762b2
Instruction Fuzzy Hash: 5F1127B0D052598FDF158FA5C919BEEBAF1BB4E311F149069E441B3290C7788988CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0714A5AC, Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0714A7EE

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1579e5eca645dcd961dadaad334fbb3c51fa3573132a9b54d2c87d755a1893d8
Instruction ID: 6eb803a502739d589742fc488e915e317c8323a8a50a4137c8f604f58685d406
Opcode Fuzzy Hash: 1579e5eca645dcd961dadaad334fbb3c51fa3573132a9b54d2c87d755a1893d8
Instruction Fuzzy Hash: 20A18DB1D4021ADFDB10DFA8C841BDEBBB2FF48315F158569E809A7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0714A5B8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0714A7EE

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 258ac946a13ee446bc509d8af99c9b9bc470e4983a066f5e6311f63db6f36b2e
Instruction ID: 72a51d1089d738e8fbc2300693fb8823b1a9506500b78aa30281baef95619158
Opcode Fuzzy Hash: 258ac946a13ee446bc509d8af99c9b9bc470e4983a066f5e6311f63db6f36b2e
Instruction Fuzzy Hash: C5917CB1D0021ADFDB20DFA8C841BDEBBB2FF48315F158569E809A7280DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010694F0, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01069736

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 716664c74573f7f4f7ad5b46c68c394f6188249aae8c235543b934f44fdfcf18
Instruction ID: 6eb1ca67666a659fcdd366007bb80b56ee37cd0092428c5860d59e37b9b0c900
Opcode Fuzzy Hash: 716664c74573f7f4f7ad5b46c68c394f6188249aae8c235543b934f44fdfcf18
Instruction Fuzzy Hash: C2711570A00B058FDB64DF2AD55079ABBF5BF88218F10892ED586DBB40D735E905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0106FCCD, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0106FE2A

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b5d9f7089b1ef285ab72d50b06cd57dc4cdfea7292915cdf13bf0fa45fe0817c
Instruction ID: 37d098960b418f8c59c10e826029ef5c4457bd01857d4e20b1586cd35b9effea
Opcode Fuzzy Hash: b5d9f7089b1ef285ab72d50b06cd57dc4cdfea7292915cdf13bf0fa45fe0817c
Instruction Fuzzy Hash: 2F5110B1D00209AFDF01DFA9D880ADEBFB6FF48314F24816AE918AB220D7719945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0106DAD0, Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0106FE2A

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 29a60926b78818a1abb36f3646cc338e02ea83e54706ae6a13842ad48d45d49a
Instruction ID: e15790f703cc2b24d7273efec66aeb47e374d36f8875188183ecc71e7ba79f89
Opcode Fuzzy Hash: 29a60926b78818a1abb36f3646cc338e02ea83e54706ae6a13842ad48d45d49a
Instruction Fuzzy Hash: CA5100B1D043099FDB14DFA9D890ADEBFB6FF48314F24816AE419AB210D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0106FD0C, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0106FE2A

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 82e251443c0dd07a367427004668073839d6e0cd2dd8e20ed5ed5bb6d17ed41b
Instruction ID: 41f51036c040552c3c86af13e06305dc28d8223f685206a379aab2c1ee4f9227
Opcode Fuzzy Hash: 82e251443c0dd07a367427004668073839d6e0cd2dd8e20ed5ed5bb6d17ed41b
Instruction Fuzzy Hash: CC51EFB1D00309AFDB14DFA9D884ADEBFB5FF48314F24812AE819AB210D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0106DAEC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0106FE2A

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fb23fecff8c798cc8b34940abf4a40f0f7e727cb2518ec992fd513b54342a4a1
Instruction ID: bffec4317395202d35ec1483288d0e8e0e699493206363d4dee67084190b2896
Opcode Fuzzy Hash: fb23fecff8c798cc8b34940abf4a40f0f7e727cb2518ec992fd513b54342a4a1
Instruction Fuzzy Hash: 8751BEB1D003099FDB14DFA9D894ADEBFB5FF48314F24812AE819AB210D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04F223B0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04F22471

Memory Dump Source

Source File: 00000000.00000002.219451398.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: afe1c175d544f4a052f627f887ab7a2b1f72635b88c50eff59b36db151b092b9
Instruction ID: 4b416a87c7bd8de693b36627edffb8114ad2558aaf44fad19dff86a32f7b6c05
Opcode Fuzzy Hash: afe1c175d544f4a052f627f887ab7a2b1f72635b88c50eff59b36db151b092b9
Instruction Fuzzy Hash: B74148B4A00615CFDB14CF99C488AABBBF5FF88314F25C599E519AB321D374A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0714A328, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0714A3C0

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fba8810d60fb99a8eb128abde670a20760e5924744ecff75d5dcf4628a141542
Instruction ID: 547efee5f004b8f17625765f735f4940b6d9d1d920ac84538f307d5823dd43d6
Opcode Fuzzy Hash: fba8810d60fb99a8eb128abde670a20760e5924744ecff75d5dcf4628a141542
Instruction Fuzzy Hash: 9D215CB19003099FCF10DFA9D8447EEBBF5FF48314F118429E919A7640D7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0714A330, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0714A3C0

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4fd430599535a6046a349dd8358bd5479f6b84415afa16ba01ede10b39a5502f
Instruction ID: 78ee7d9ab613d0e0b96159712c1626078b83db4e75e02d652144101e571f0d6d
Opcode Fuzzy Hash: 4fd430599535a6046a349dd8358bd5479f6b84415afa16ba01ede10b39a5502f
Instruction Fuzzy Hash: BA2127B19003599FCF10DFA9D884BDEBBF5FF48314F118429E919A7240DB789944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0714A190, Relevance: 1.6, APIs: 1, Instructions: 69threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0714A216

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ba14a0362e016e14308cdea065c15c6b1f53f0ec7ff428498d1b82aabe0ea5a6
Instruction ID: c9180fa2467a7171f594efff4801675eecc7a0e1d816c28fb37d95b02c5b17a1
Opcode Fuzzy Hash: ba14a0362e016e14308cdea065c15c6b1f53f0ec7ff428498d1b82aabe0ea5a6
Instruction Fuzzy Hash: AC217AB19002098FCB10DFA9D4847EEBBF5EF49224F158429E459A7740CB789944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0714A419, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0714A4A0

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d6186456d1c31ff6a51b1994f0efdebe1529d2e4d5720937a617628d4b123a53
Instruction ID: 335e06c00f2f10a8456e1cbfc1706118efabd9bf264f116add4f8d9f71eaf6ff
Opcode Fuzzy Hash: d6186456d1c31ff6a51b1994f0efdebe1529d2e4d5720937a617628d4b123a53
Instruction Fuzzy Hash: 4C216BB1D003499FCB10DFA9D844BEEBBB5FF48324F15842AE518A7640C7389904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0106A264, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0106B9DE,?,?,?,?,?), ref: 0106BA9F

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9761fabe4f8447c524d70f909a578dc62b944d35ac53519c5f9ee366404bc067
Instruction ID: b9ffbe1cf0ce8b97ed9ce7a034fbe089e184141671b0e6f764d12fe1be8c282b
Opcode Fuzzy Hash: 9761fabe4f8447c524d70f909a578dc62b944d35ac53519c5f9ee366404bc067
Instruction Fuzzy Hash: D92116B5D002089FDB10DFA9D484ADEBBF8EB48324F14805AE914B7310D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0106BA11, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0106B9DE,?,?,?,?,?), ref: 0106BA9F

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 25377cdcde5b4f117aaceff4a3104dbf82f8d21c7f7540bcd736c326b796ef97
Instruction ID: 766307e9044dccf17e1120dc5021d20757a050c61949f449a0f2a9215d8d0fdb
Opcode Fuzzy Hash: 25377cdcde5b4f117aaceff4a3104dbf82f8d21c7f7540bcd736c326b796ef97
Instruction Fuzzy Hash: D521E4B5D002089FDB10DFA9D984ADEBBF8EB48324F14801AE955A7310D379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0714A420, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0714A4A0

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2718f788568341a28e138c8d55f231118e91307c657a4815c0a070b3defe6b5b
Instruction ID: 70c13dc4f8d018b0273e6666afa4d43d22db61ca0886509c490edc064208a08c
Opcode Fuzzy Hash: 2718f788568341a28e138c8d55f231118e91307c657a4815c0a070b3defe6b5b
Instruction Fuzzy Hash: D52128B1D003599FCF10DFAAD884AEEBBF5FF48324F558429E519A7640C7389944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0714A198, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0714A216

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: cc3245b921b95aba5456bb590465faac5e1fc3e1e2afe4da158a3579343a79e0
Instruction ID: c23f2a20e33c70c00fff38766540ed6fde61cc3839774120a3e0e10d222971e9
Opcode Fuzzy Hash: cc3245b921b95aba5456bb590465faac5e1fc3e1e2afe4da158a3579343a79e0
Instruction Fuzzy Hash: 252118B1D003098FCB10DFAAC484BEEBBF5EF48324F558429E519A7640DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01069950, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010697B1,00000800,00000000,00000000), ref: 010699C2

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 69c055a3ecd0b89ae60204cbc3e0d950d5c903a8444f64577808f8ebcd22b2fe
Instruction ID: 6e1d7bd941b9979038149e74382e7ea0c212fc7bbcdb4e65085e5b4af90d92ea
Opcode Fuzzy Hash: 69c055a3ecd0b89ae60204cbc3e0d950d5c903a8444f64577808f8ebcd22b2fe
Instruction Fuzzy Hash: 4D116AB2D002098FDF10DF9AD484ADEFBF4EB98324F00842AE555A7700C3799545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0714A268, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0714A2DE

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 71c7bffe7d1b35f1dce0f41848d51fd45064735ce38ffada460d557611f24489
Instruction ID: b6fa31464799bfd1721c638b7df47177eb30521a7c6c1ffd92dbac69ebe26e9a
Opcode Fuzzy Hash: 71c7bffe7d1b35f1dce0f41848d51fd45064735ce38ffada460d557611f24489
Instruction Fuzzy Hash: C62189729002499FCF10DFA9D844BEFBBF5EF88324F148819E515A7650CB3AA944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010688B8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010697B1,00000800,00000000,00000000), ref: 010699C2

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1b13a7f46f1e9c8073642bf78b43cf6de5c2d6ad673506cc86664b0ddda68dfc
Instruction ID: 5bcee2f526f28d28dd8eb69278fbaef8d10ec18082971802756a31c58cf429db
Opcode Fuzzy Hash: 1b13a7f46f1e9c8073642bf78b43cf6de5c2d6ad673506cc86664b0ddda68dfc
Instruction Fuzzy Hash: 5F1144B29003098FDB10DF9AD444ADEFBF8EB88324F00842AE555A7600C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0714A270, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0714A2DE

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3567ea98107fb41b18e194202c2bf8b460f5390cceb513d548e9f521834c09c3
Instruction ID: edc2794c2e4fe862e57c2471bdcb38630babb25f54b58b7fb8853710aa75b292
Opcode Fuzzy Hash: 3567ea98107fb41b18e194202c2bf8b460f5390cceb513d548e9f521834c09c3
Instruction Fuzzy Hash: D41149B19002499FCF10DFAAD844BDFBBF5EF48324F158819E515A7650C7799944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0714A0E1, Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0714A14A

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d4672b768dbed8628d06999e4e7a544510df5c77506ba9a2200135a5ff9c66d5
Instruction ID: 7a9b4cabc4da9d1b2caa0faf3a85dd79ff460524a41db2917fbd654f15667ccf
Opcode Fuzzy Hash: d4672b768dbed8628d06999e4e7a544510df5c77506ba9a2200135a5ff9c66d5
Instruction Fuzzy Hash: 771149B19043498FCB10DFAAD8447EEBBF5AF89228F15841AD519A7240C7396945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0714D671, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0714D6D5

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 31a04dc7e484844186cdf815617b28ff51445f4311ebddd7a4d62b497f099407
Instruction ID: 9da7d4588f887c2fa5761abc452cd20aa256d536185af9144ed9a46ffb49c5d0
Opcode Fuzzy Hash: 31a04dc7e484844186cdf815617b28ff51445f4311ebddd7a4d62b497f099407
Instruction Fuzzy Hash: 0B1134B580074A9FCB10DF99E844BDEBFF8FB49324F24844AE959A7601C375A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0714A0E8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0714A14A

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ce887a8437f3069fbc234aef0d84ee43baf2dae655ddf78c2f51ede576bd4d4f
Instruction ID: 51f79fe923446df4efdf3c9334ec482318f952bc0db42afacbf5fc21a9387f6c
Opcode Fuzzy Hash: ce887a8437f3069fbc234aef0d84ee43baf2dae655ddf78c2f51ede576bd4d4f
Instruction Fuzzy Hash: CF1128B19002498FCB10DFAAD8447DFBBF5AF88224F158419D519A7640C779A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010696D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01069736

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c76efcb0fb97c9d3594765ee29f0241837d81d29ee771c41f381fbcf5e4637e5
Instruction ID: dedaeaccedd620fe86da21029ff84f46954c2d4c4cd362af80c60915cff05013
Opcode Fuzzy Hash: c76efcb0fb97c9d3594765ee29f0241837d81d29ee771c41f381fbcf5e4637e5
Instruction Fuzzy Hash: 361110B5C002098FDB10DF9AD444BDEFBF8EB88324F14845AD459B7600C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0714D678, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0714D6D5

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 48abd5fc8150ceb78efc42983d94fd418e1ba36f187e4d15da8e8d6bef28d5c9
Instruction ID: cf1b471fac2da7a4ef7ab0c887172e70c0e0f27cc5e5be627ea90a1bde8ca1ba
Opcode Fuzzy Hash: 48abd5fc8150ceb78efc42983d94fd418e1ba36f187e4d15da8e8d6bef28d5c9
Instruction Fuzzy Hash: 061112B59003499FCB10DF9AD984BDFBBF8EB48324F10841AE559A7700C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C3D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217259787.0000000000C3D000.00000040.00000001.sdmp, Offset: 00C3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eabe3c274afb4290dd11e500eb278c1a202537da789e500f12034448e7ba3ce
Instruction ID: 562502a299cb47ac1e0a12cd6694d28b2ca2912ee4ef1cb68b22d1923285c4f3
Opcode Fuzzy Hash: 9eabe3c274afb4290dd11e500eb278c1a202537da789e500f12034448e7ba3ce
Instruction Fuzzy Hash: DC2125B1514240DFDB01DF54E9C0B26BF66FB98328F24C569E90B0B256C336E956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217259787.0000000000C3D000.00000040.00000001.sdmp, Offset: 00C3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01c435ae5d42b7d36ca4077b1cfa8425bf2c0d5b74066c90e0bd1c1ef6731ee
Instruction ID: 97c29ea9373f85059e893877cf545f6aa97a53d390d19b7f5cb959270ec8b074
Opcode Fuzzy Hash: c01c435ae5d42b7d36ca4077b1cfa8425bf2c0d5b74066c90e0bd1c1ef6731ee
Instruction Fuzzy Hash: 0811E6B6804280DFCF12CF14E5C4B16BF72FB94324F24C6A9D8060B616C336D95ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C3D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217259787.0000000000C3D000.00000040.00000001.sdmp, Offset: 00C3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2d82fa05579ea4eab5c7a60e3c29b203992c59ab97a9045d72cd7d81111997
Instruction ID: 6cb4d8da0e456ee0e0c603ed5e5f1ce0209da2782c5ce2598e3563708d90d9ce
Opcode Fuzzy Hash: 5f2d82fa05579ea4eab5c7a60e3c29b203992c59ab97a9045d72cd7d81111997
Instruction Fuzzy Hash: 38012B714183409AE7205F26EC84B67BB9CEF42378F18C55AFD165B24AD3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C3D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217259787.0000000000C3D000.00000040.00000001.sdmp, Offset: 00C3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84388c387534fd182358a5524c4221bad7b5d9e216be0309d90680e65fbf317b
Instruction ID: fc9b8bf2007b4a6b7af1bd654236105f50df81e1162d8957efa6ff83aa9e7fc8
Opcode Fuzzy Hash: 84388c387534fd182358a5524c4221bad7b5d9e216be0309d90680e65fbf317b
Instruction Fuzzy Hash: 1FF062714043849EEB109E15DC84B62FF98EB42774F18C45AED195B78AC3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0714617A, Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

-k[b, xrefs: 0714620B

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID: -k[b
API String ID: 0-3446474965
Opcode ID: fd95dc2d2232c4102d36e7b6e61aba12705f920a777a170b57bdb1daf0d912a9
Instruction ID: 68e74e96b2ceb337f1a083b0311432781e7823cc7dd43c782d18ef35940104c9
Opcode Fuzzy Hash: fd95dc2d2232c4102d36e7b6e61aba12705f920a777a170b57bdb1daf0d912a9
Instruction Fuzzy Hash: 0CB190B0E146688FDB64DF69C9847CCBBF1AF48305F1481E9D148B6216EB30AA99CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07142E68, Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

U, xrefs: 0714690D

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 9e274b83996c4aea7c5929ef05531bf86d513f9e94f7f408665523042c0dca80
Instruction ID: a566592f734d053499002dbe97e7c3dccd5b5ebcd5ab323bdd54f45d865355b8
Opcode Fuzzy Hash: 9e274b83996c4aea7c5929ef05531bf86d513f9e94f7f408665523042c0dca80
Instruction Fuzzy Hash: 0F619EB1E106698BEB28CF6BCD40699FAF7BFC5204F18C5E9C50CAB255DB3049868F54

Uniqueness

Uniqueness Score: -1.00%

Function 00659526, Relevance: 1.2, Instructions: 1217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.216874568.0000000000652000.00000002.00020000.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.216866840.0000000000650000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.216959292.00000000006D2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6e9811704804646cba51184835dcefb272ce6fa3ebf943c14ac026918f922c
Instruction ID: d361a572333742512660edd4344eba0f5b0c2758c653cecba4d0b4f50f3be283
Opcode Fuzzy Hash: 5c6e9811704804646cba51184835dcefb272ce6fa3ebf943c14ac026918f922c
Instruction Fuzzy Hash: C192236144EBC19FCB035B782DB12D17FB29D6722470E49C7C8C08F5A3E4196A9BE762

Uniqueness

Uniqueness Score: -1.00%

Function 07140D80, Relevance: .9, Instructions: 921COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bff097367420230434ba75ae7fe90de7e6f07fa96e621afadbea7233426b694
Instruction ID: 09f3840e49a828dc0d34602fec6bf6e7b4361f0cac2c9c49bddfca6a13c849f2
Opcode Fuzzy Hash: 8bff097367420230434ba75ae7fe90de7e6f07fa96e621afadbea7233426b694
Instruction Fuzzy Hash: C6826EB0A0020AEFCB15DF68C584AAEBBF2FF49315F158559E905DB2A1D730EC81DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0106E5A0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19f6c11a53e48a6b33d032fa310212c48f43b9bfc3e309319de478938bdab99
Instruction ID: 8902c6e5fdb71cbfeafd39c3eda1856c5cb1eebfe421a2db1f4b8554a01fe788
Opcode Fuzzy Hash: c19f6c11a53e48a6b33d032fa310212c48f43b9bfc3e309319de478938bdab99
Instruction Fuzzy Hash: 1312C3F94117468BE330DF65EED81893BA1B745328F904208D2E12FAD9D7BE156ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0106C0D4, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217641053.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02e5e90fee7a1e792778ca56d042c7a704ce5a68f4df5bd60406f64457a6283
Instruction ID: fe26f6a3833d5fd0a0d329b3b1debc818d37f169adfcbef9e34cd8de9af22c96
Opcode Fuzzy Hash: f02e5e90fee7a1e792778ca56d042c7a704ce5a68f4df5bd60406f64457a6283
Instruction Fuzzy Hash: A4A17F32E0021ACFCF15DFA5C9845DEBBF6FF85300B1581AAE985AB221DB31E905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07142C07, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fca4b68bab7f86844c3ad2762a6972c9c2574308ccfa122a1491504fda0c75
Instruction ID: d1751689aef125e24e626b6fe5f0e86cfbcb5ea825dfef54cc4c04915f83b061
Opcode Fuzzy Hash: c1fca4b68bab7f86844c3ad2762a6972c9c2574308ccfa122a1491504fda0c75
Instruction Fuzzy Hash: E4516270A082498FC744EFBAE4516DE7BF2EBC5304F04C839D0049F6A5DB796946DB91

Uniqueness

Uniqueness Score: -1.00%

Function 07142C18, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1500fe533fbf1e4f29741496a228521351cd28e4ebc231d4e1f7f1253facc9
Instruction ID: 800a028c0aee052d458a80b9509ecd31951652eb2db57194aa76be039a997864
Opcode Fuzzy Hash: 2c1500fe533fbf1e4f29741496a228521351cd28e4ebc231d4e1f7f1253facc9
Instruction Fuzzy Hash: 64516070A082498FC748EFBAE45169E7BF2EBC5304F04C839E1049F6A5DB796905DB91

Uniqueness

Uniqueness Score: -1.00%

Function 07142E58, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.222815381.0000000007140000.00000040.00000001.sdmp, Offset: 07140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff9101f5e1182668b5314f27ec09aabc17634ce650bcdff3e9500e3cf02ae7d
Instruction ID: b896f779639192bda412f9dd77a73071306ef58beb87c3d3c168e33602dffce8
Opcode Fuzzy Hash: 8ff9101f5e1182668b5314f27ec09aabc17634ce650bcdff3e9500e3cf02ae7d
Instruction Fuzzy Hash: 75519FB1E005698BEB18CF6BCD40699FBF7BFC5204F18C5BAC55CAA255DB3049828F54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Copyofreceipt.exe PID: 6620 Parent PID: 6436 Copyofreceipt.exeCOMMON

Executed Functions

Function 01221FE0, Relevance: 4.3, Strings: 3, Instructions: 515COMMON

Download Yara Rule

Strings

D0l, xrefs: 012224D1
D0l, xrefs: 01222444
D0l, xrefs: 012225D1

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID: D0l$D0l$D0l
API String ID: 0-195073329
Opcode ID: dea81eff0b6fa5f5bda666dd2b16200c272ee7e1bd18551146c6ccac86e2a9ff
Instruction ID: 724b9a41feb37379e1bdb36b543663ca0ed595a05be88f73ebdeff481c4b4dc6
Opcode Fuzzy Hash: dea81eff0b6fa5f5bda666dd2b16200c272ee7e1bd18551146c6ccac86e2a9ff
Instruction Fuzzy Hash: E4128E70A102199FDB14DF68C854BAEBBF6BF89304F158029E906AB395DF35DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01541780, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01541F08

Memory Dump Source

Source File: 00000005.00000002.467314191.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e26a87b9644014089720addb78b09b388b835f16bcc5d33f95baa01d9b84eab6
Instruction ID: 489271536cf5eb8e8485aaa8357e55513469346171f6132d8ceed8dde61b3a26
Opcode Fuzzy Hash: e26a87b9644014089720addb78b09b388b835f16bcc5d33f95baa01d9b84eab6
Instruction Fuzzy Hash: E9621874E006198FCB24EF78C85469DB7F2BF89304F1185AAD50AAB354EF30AA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01451840, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01451881

Memory Dump Source

Source File: 00000005.00000002.467146916.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e5fbb6c0b50763ccc890d2e3447864da254fd73f90f1fbc57b3d4a935775c6e
Instruction ID: 75b563e7f1cc9a927f0f242d250466c15da2ec0f0d750368f80dc2b721c4bd71
Opcode Fuzzy Hash: 1e5fbb6c0b50763ccc890d2e3447864da254fd73f90f1fbc57b3d4a935775c6e
Instruction Fuzzy Hash: B3618E30A00219DBDB54EFB4D4587AEBBF2BF84704F118829E816AB355DB799C45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01222D50, Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7a7baf7b27c741c017c4a494fd91ca7b4b9627b5cfc1cb1335a353478ad4a6
Instruction ID: d0215ab44f2c1187de889851251a59340fa5c76389835e7c4d7af42ba20b6b81
Opcode Fuzzy Hash: 8f7a7baf7b27c741c017c4a494fd91ca7b4b9627b5cfc1cb1335a353478ad4a6
Instruction Fuzzy Hash: 8A826C34A20216EFCB15DF68C484AAEBBF2FF88314F158559E5059B3A1CB74ED41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0122DF60, Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c00bf8e194e8a8f056385fb623e9342f916904b6a4dd72c0f8eeb5126870b5c
Instruction ID: 8f132958560edd5b3f7e006da1958f0f55965aee6cb4ec10e2715473722c88d5
Opcode Fuzzy Hash: 6c00bf8e194e8a8f056385fb623e9342f916904b6a4dd72c0f8eeb5126870b5c
Instruction Fuzzy Hash: 77D1B130B00215AFDB64FB78C85976EB6E2AFC9704F168828E516AF784DF74DC029791

Uniqueness

Uniqueness Score: -1.00%

Function 01222768, Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e89c8a4233705a75377e941184e84f475372507d53866864ae67c73a0d04ee4
Instruction ID: dc9ec89eb50ce359031a8a545e86ca710771567af68f1daf30f81a7ccdaf751b
Opcode Fuzzy Hash: 5e89c8a4233705a75377e941184e84f475372507d53866864ae67c73a0d04ee4
Instruction Fuzzy Hash: 0CD14E70A1012AEFDB15CFA8C984AADBBF6FF88300F198165E905AB361D772DC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01746940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 017469A0
GetCurrentThread.KERNEL32 ref: 017469DD
GetCurrentProcess.KERNEL32 ref: 01746A1A
GetCurrentThreadId.KERNEL32 ref: 01746A73

Memory Dump Source

Source File: 00000005.00000002.467773386.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bafaebb62e8efd69b60b8f80868e8d2311f405532a641985c46b8cf028c23281
Instruction ID: 7bbb18f40d4aa6e9706febfe140af352289f1aadf54c8d01277f5796b729c155
Opcode Fuzzy Hash: bafaebb62e8efd69b60b8f80868e8d2311f405532a641985c46b8cf028c23281
Instruction Fuzzy Hash: 2A5163B4A017498FDB14DFAAD548BDEBBF0EF89314F208069E409A7350C774A944CF62

Uniqueness

Uniqueness Score: -1.00%

Function 01221AC0, Relevance: 4.0, Strings: 3, Instructions: 229COMMON

Download Yara Rule

Strings

_, xrefs: 01221CF7
Xcl, xrefs: 01221C4B
Xcl, xrefs: 01221C41

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID: Xcl$Xcl$_
API String ID: 0-2227497157
Opcode ID: 34d9b3d5b1a55164da21c86cd5d6c0729787a00f80eb613a11cc96aba0669843
Instruction ID: e0201c91d9c72bbfc7ce620cef3bb37598976ec962d0429a625928e6406da728
Opcode Fuzzy Hash: 34d9b3d5b1a55164da21c86cd5d6c0729787a00f80eb613a11cc96aba0669843
Instruction Fuzzy Hash: B081C234B20126EFDB14DF6CC485EAEBBB2BF89344B158069DA05DB365E731D811CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0145B478, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0145B4D7

Memory Dump Source

Source File: 00000005.00000002.467146916.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1262cd09ebf29d3974d722b52304e954b022fd9a69e26d03e53aaf5c181fa5b5
Instruction ID: 500ea5c29d598909f6bfc140e79f651d41b65acab9d48dff0404707f90b4e23e
Opcode Fuzzy Hash: 1262cd09ebf29d3974d722b52304e954b022fd9a69e26d03e53aaf5c181fa5b5
Instruction Fuzzy Hash: 8751B871B002059FCB44FBB4D8589AEB7B6FF88304F15896AE5129B755EF30E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0145B468, Relevance: 1.6, APIs: 1, Instructions: 141libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0145B4D7

Memory Dump Source

Source File: 00000005.00000002.467146916.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d2d515151b0185659340d0188d4aedbb9abbf19c8f9d3d063b01f720bcd5c7ac
Instruction ID: 229d47f8b10d0f301b5b2850a58b7405cf2ba238e662842fbb8ca77124499d53
Opcode Fuzzy Hash: d2d515151b0185659340d0188d4aedbb9abbf19c8f9d3d063b01f720bcd5c7ac
Instruction Fuzzy Hash: EB51B871B102059FCB44EFB4D844AEEB7B5FF88304F15892AE5129B755EF30D8058B61

Uniqueness

Uniqueness Score: -1.00%

Function 0154EE98, Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.467314191.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f540c22504cc6ed254e07742ac85c90b30f5925ee531b20adbb46dbe4e94a2
Instruction ID: f672732688e94015203d9075fac4f0785b93f93bc4740c7cea795ee85b62f718
Opcode Fuzzy Hash: 97f540c22504cc6ed254e07742ac85c90b30f5925ee531b20adbb46dbe4e94a2
Instruction Fuzzy Hash: A0412572E047558FCB00DFB9D40069EBBF0FF89228F09856AD518EB241DB789841CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01745084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017451A2

Memory Dump Source

Source File: 00000005.00000002.467773386.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d28060938a3198f14b3115ffcce27efb5fb066d4d6d19c8abac6c89ef196db4d
Instruction ID: 33d4117ba74d288b387c0ca90f678e856217765e3f0873a4ee38d6d3938bc8a2
Opcode Fuzzy Hash: d28060938a3198f14b3115ffcce27efb5fb066d4d6d19c8abac6c89ef196db4d
Instruction Fuzzy Hash: BA51CEB1D102499FDB14CFA9C984ADEFFB1BF48314F64822AE819AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01458FD7, Relevance: 1.6, APIs: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0145F204

Memory Dump Source

Source File: 00000005.00000002.467146916.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9fa3c4b324721f3789ba3271f0fd8b75ab08ba1c193187d3ec98b4dcebdae54d
Instruction ID: ddc1d48a1d4ce4a5a8f927d2a8fb35ebc91fc77bb59fb576f0cc1a00035a6df9
Opcode Fuzzy Hash: 9fa3c4b324721f3789ba3271f0fd8b75ab08ba1c193187d3ec98b4dcebdae54d
Instruction Fuzzy Hash: CF415AB18053498FCB01DF99C484ACEFFF0BF4A314F59819AE804AB352D7759949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01745090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017451A2

Memory Dump Source

Source File: 00000005.00000002.467773386.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2b0addd97051377f99fdc02f6abd8f567336d11130535071191afaf9a4ae3fa0
Instruction ID: 58a8029d715fc019eeaf3a55490f0e34695b8ea7c33a14d29f15f5aeb96f4c07
Opcode Fuzzy Hash: 2b0addd97051377f99fdc02f6abd8f567336d11130535071191afaf9a4ae3fa0
Instruction Fuzzy Hash: 1341CEB1D003089FDB14CFAAC884ADEFBB5FF48314F64822AE819AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0145F0F0, Relevance: 1.6, APIs: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0145F204

Memory Dump Source

Source File: 00000005.00000002.467146916.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 76018fd4cb0a1c6d4f96a750d7930e8b16e0e987b990c19457847ab8a426911e
Instruction ID: 16aea4ff28eaa1b17d86e5db601b5ee175e6f0990f9eed985bde7a9fc23441ca
Opcode Fuzzy Hash: 76018fd4cb0a1c6d4f96a750d7930e8b16e0e987b990c19457847ab8a426911e
Instruction Fuzzy Hash: B24157B0E013498FDB04DFA9C544B8EFBF1AF49314F29C16AE808AB351D7759849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0174779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01747F09

Memory Dump Source

Source File: 00000005.00000002.467773386.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 28966bf5f6a8d27f377a7f46da7ba07f91b4b48f26bbd92aab88604f4e8d6944
Instruction ID: 77c937eea4f706c280006ba6391fa5ecfb47b480e47585a7b00f91199557b4c8
Opcode Fuzzy Hash: 28966bf5f6a8d27f377a7f46da7ba07f91b4b48f26bbd92aab88604f4e8d6944
Instruction Fuzzy Hash: 94413AB5A002058FDB14CF99C488AAAFBF5FF88314F25C559E519AB311D735A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01459058, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0145F471

Memory Dump Source

Source File: 00000005.00000002.467146916.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 894d3d0ad8173c01fc2eb0e96cb2b4852b377bee8c0c0bed477a7894eb8afee4
Instruction ID: 1495f2d75d22938c9b4ef44b1bedab5036433a39deae9d7c9e034076a1ebe9c9
Opcode Fuzzy Hash: 894d3d0ad8173c01fc2eb0e96cb2b4852b377bee8c0c0bed477a7894eb8afee4
Instruction Fuzzy Hash: 1E31E2B1D002589FCB10CF9AD884A9EBFF5BF49314F54812AE819AB311D774994ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 0145F3AC, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0145F471

Memory Dump Source

Source File: 00000005.00000002.467146916.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5c630c91339e9107f7b671273c572aa1fa59e29137d8543456ca5a081a08ae4c
Instruction ID: e3bf1db5293ef7c527678c493ef8d7c9ba13c128d2f64adb346267bdab5042f1
Opcode Fuzzy Hash: 5c630c91339e9107f7b671273c572aa1fa59e29137d8543456ca5a081a08ae4c
Instruction Fuzzy Hash: 27310EB1D002589FCB20CFA9D984ACEBFF1BF48310F54812AE819AB310D774994ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 0145904C, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0145F204

Memory Dump Source

Source File: 00000005.00000002.467146916.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1ca6fbbc69ee62ee70bc0506fda759d5875f1edc2bd89724263b4fee5aba49b9
Instruction ID: 53744c0d7ce460950ba987421d5d08def66293d0e02f5326951b912ab5650830
Opcode Fuzzy Hash: 1ca6fbbc69ee62ee70bc0506fda759d5875f1edc2bd89724263b4fee5aba49b9
Instruction Fuzzy Hash: EF3132B0D002498FDB00CF99C584A8EFFF5AF49304F69C16AE809AB311C7759989CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014517E0, Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01451881

Memory Dump Source

Source File: 00000005.00000002.467146916.0000000001450000.00000040.00000001.sdmp, Offset: 01450000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b046cf8748efb0e7433b6f8c32e3c9673a8595325f6826f2f5353bb4b9b47aaa
Instruction ID: 7645e64b83dc0b6217579410a93447dac18b669dfc4b536dab29a6f2d6457a91
Opcode Fuzzy Hash: b046cf8748efb0e7433b6f8c32e3c9673a8595325f6826f2f5353bb4b9b47aaa
Instruction Fuzzy Hash: 0D31AF30A00349DFDB15DFA4D594B9EBBB2FF85304F10846AD805AB3A2D73A9C45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0174C189, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0174C212

Memory Dump Source

Source File: 00000005.00000002.467773386.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: fb39408bb73ab602c07ba19a307b07538d24529eac7a2fa18deb0d9de521d306
Instruction ID: c2dcfbbb554656a44ff6d312b3fdd743622100e18695a4750ad23d3280264752
Opcode Fuzzy Hash: fb39408bb73ab602c07ba19a307b07538d24529eac7a2fa18deb0d9de521d306
Instruction Fuzzy Hash: F63103B08063858FEB11EFA8E5083AEBFF0EB45318F548059E44DA7342C7796809CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01746B62, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01746BEF

Memory Dump Source

Source File: 00000005.00000002.467773386.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 17b82b10e948917b13aed1e36fab3d8af8d79114fd9ec38c369422fb066bd40b
Instruction ID: b30d1e79c9dc85ddeb3e78bf5e28a1c3468b40f7eeabe4a9b433ea77a0130a1b
Opcode Fuzzy Hash: 17b82b10e948917b13aed1e36fab3d8af8d79114fd9ec38c369422fb066bd40b
Instruction Fuzzy Hash: CE21D2B5D002489FDB10DFA9D984ADEFBF4EB48324F14851AE915A7310D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01746B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01746BEF

Memory Dump Source

Source File: 00000005.00000002.467773386.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5b454cb0c938bca587a79bc66ed07e6a2c537877faa0e094a9b69ad580143d56
Instruction ID: 7c49b2fbcb6ac4ac6c8af44543450e61a5fa7cecf30e5f3373d08a1db84a2d90
Opcode Fuzzy Hash: 5b454cb0c938bca587a79bc66ed07e6a2c537877faa0e094a9b69ad580143d56
Instruction Fuzzy Hash: 1221C2B5D002489FDB10DFAAD984ADEFBF8EB49324F14841AF915A7310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122E9F1, Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

D0l, xrefs: 0122ED3B

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID: D0l
API String ID: 0-3512419482
Opcode ID: b2de6ab7b64df07dc080f5f1a87025046141bd0d61db8287cc972b61f1b07066
Instruction ID: c9e3d5242f27b2149a5ae2595e665225bab17667a48d34df3bd57f6b542e5fe7
Opcode Fuzzy Hash: b2de6ab7b64df07dc080f5f1a87025046141bd0d61db8287cc972b61f1b07066
Instruction Fuzzy Hash: 99B1FF707142269FDB25AB78C85166E7BA6FFC4600F0A8469D903CB791EF78CC41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0154E74C, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0154EEEA), ref: 0154EFD7

Memory Dump Source

Source File: 00000005.00000002.467314191.0000000001540000.00000040.00000001.sdmp, Offset: 01540000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 93210dd50e5e2f6d508e17b9345a0fcd0453dd5ea7dea9015a9cd7fdc717925f
Instruction ID: 6615a5b949ac147e8a32129c38cff28422558edbdb2d0ed19097febcd60c440c
Opcode Fuzzy Hash: 93210dd50e5e2f6d508e17b9345a0fcd0453dd5ea7dea9015a9cd7fdc717925f
Instruction Fuzzy Hash: BC1133B1C046199BCB10DFAAC444BDEFBF4FB48224F14856AE918A7200D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0174C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0174C212

Memory Dump Source

Source File: 00000005.00000002.467773386.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: ef34540af114fe96423fd56fec07480209f462006ee8b6c23e2c3de6c8a79889
Instruction ID: 2ef59d0facb55af16ebdb6b59aad1fe1ed05832e6462475f763b5a16390e0e78
Opcode Fuzzy Hash: ef34540af114fe96423fd56fec07480209f462006ee8b6c23e2c3de6c8a79889
Instruction Fuzzy Hash: 521179B19023458FDB10EFAAD54879EBBF4EB48324F648129E409A7640C7796544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01743300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01744116

Memory Dump Source

Source File: 00000005.00000002.467773386.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 260a2a86ebe27902d2c43a55218e0f4e46a95b711a0cfad878464c1affc67bee
Instruction ID: c56fca21a44e11b2066f4ef32568f5b1ed442a97e534f803805a5e8ec5f55f1c
Opcode Fuzzy Hash: 260a2a86ebe27902d2c43a55218e0f4e46a95b711a0cfad878464c1affc67bee
Instruction Fuzzy Hash: 1C1132B5D006498FDB20DF9AD444BDEFBF4EB89324F10806AD929B7200C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017440AA, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01744116

Memory Dump Source

Source File: 00000005.00000002.467773386.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 90a8d133d2410bddd1a57550cd6df354ff628d984edbc491e3260eccaf974735
Instruction ID: 93d29150adfd60230e96df8e01d320e7737e75a8a33062e65b82dbdedbabffff
Opcode Fuzzy Hash: 90a8d133d2410bddd1a57550cd6df354ff628d984edbc491e3260eccaf974735
Instruction Fuzzy Hash: 381132B5D006498FDB20DFAAD544BDEFBF0EB88324F14841AD419B7600C378A54ACFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01223E28, Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66eda37945e431ff68cd7d78387530ae6914dd8ade2f091cf18883412ac34db6
Instruction ID: 7c5b64663c46279f171579659eaa95bdd3eb0976adc78661398533711f69b102
Opcode Fuzzy Hash: 66eda37945e431ff68cd7d78387530ae6914dd8ade2f091cf18883412ac34db6
Instruction Fuzzy Hash: 92629070A041198FEB64EBA4C860B9E7BB2FF85304F1180ADD20AAB794DF359D41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0122AB70, Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6fb761c1b2a0d00b1b32391153eb6be54d5b73be198af5c05dd622646a195e
Instruction ID: 872878e789886dbe80416bc5358771e59452fb4580061eed687e0b53ec87051b
Opcode Fuzzy Hash: dc6fb761c1b2a0d00b1b32391153eb6be54d5b73be198af5c05dd622646a195e
Instruction Fuzzy Hash: 38228C70A102159FCB14EFB8D458A9DBBB2FF88310F158835E905EBB54EB389D46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0122E538, Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df39ef6fde32b0902c8352c93cc620c7573e70a94e55c4b6e220983239ea2bc0
Instruction ID: abf4355b93d1560597beee949ec6d34ff9a583c7ffb03dd0ad126bb1968bde4a
Opcode Fuzzy Hash: df39ef6fde32b0902c8352c93cc620c7573e70a94e55c4b6e220983239ea2bc0
Instruction Fuzzy Hash: FCD13570B102269FCB14DB78C454ABE7BF6AF84300F0A846AD506DB391DB79DC46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012216C8, Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2d24669f0a99179044b3f80b11e8c128633f91dfb80c21d8573af29993e03b
Instruction ID: f80feaf3d2276e09f5d58162f5725c84011140fc430f4bd56706aa99e38d54e2
Opcode Fuzzy Hash: cb2d24669f0a99179044b3f80b11e8c128633f91dfb80c21d8573af29993e03b
Instruction Fuzzy Hash: 89C1E4303152269FDB15AF68C894B6E7BE2BFC9204F158029EA06CB395DF79CC11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01224C78, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5580f94bb82f1670d108643bcd9c446b2751d7fb53900b613d06da8bec45eb
Instruction ID: 0e328d63f96b1031e95153103bb0827131bb8c69ee1c83bc9566c2413eb68c22
Opcode Fuzzy Hash: ef5580f94bb82f1670d108643bcd9c446b2751d7fb53900b613d06da8bec45eb
Instruction Fuzzy Hash: 92D12D71A10265DFCB15DF6DD488DADBBF6BF88310B5A80A9E605AB361CB30EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01224B58, Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8331eac85e675c02c44424f8140bcd843e25a62a8000bcbd7eed641d6259e3a
Instruction ID: 9a2dcabbf73ed17d4cf24890a9a855a7efa8b6a748c31246112ceae4b46c2b9f
Opcode Fuzzy Hash: f8331eac85e675c02c44424f8140bcd843e25a62a8000bcbd7eed641d6259e3a
Instruction Fuzzy Hash: B7C11871E102659FCB04DFA8C588E9DBBF6BF88314F5A8099E615AB361DB30EC41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01222D48, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c05c7013dc376601a139bd9b1f602e45472b192b7dc04473bf70f2281d4981
Instruction ID: 12de201ef39c18617747d2f7c67e96ae1cbbe5aaac51395fefdfa00dd57ac41f
Opcode Fuzzy Hash: 87c05c7013dc376601a139bd9b1f602e45472b192b7dc04473bf70f2281d4981
Instruction Fuzzy Hash: A3C16D30A10229EFDB14DFA9C884E9EBBF2BF48314F158559EA05AB361D735ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01225280, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72e8cb5bcc6d602ecc0a9570bb6aa7337484fb7c051e04c8ca1dcbe9ce30061
Instruction ID: c47e05b0f78fd803526a82482608569ea7382ad06a000650f9dbf2b7b2f0247d
Opcode Fuzzy Hash: c72e8cb5bcc6d602ecc0a9570bb6aa7337484fb7c051e04c8ca1dcbe9ce30061
Instruction Fuzzy Hash: 71818071A1122AAFCB15CF68C484AADBBF5FF54311F16C459F9159B262C770E841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0122F3A0, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda05e436d064fec0ec60b4032a67c7dbaa63c778fdb309ce74e5b11d743ca5e
Instruction ID: 06867d154ce93225aad05d9a429c12a2924a2ceaf51c647692037bccddb44c4b
Opcode Fuzzy Hash: bda05e436d064fec0ec60b4032a67c7dbaa63c778fdb309ce74e5b11d743ca5e
Instruction Fuzzy Hash: EC61E230B142159FCB44EBB8D551AAE7BF2EFC5604B1584B9C10AEB750EF389D06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01223AC8, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6f70a93ae0d0ef3cf1d7c4c7560530cf403d815fcfde3b014774c1094c942e
Instruction ID: 24c65f100817193ecd2d92de0f77fef9b2f1de4bd2354362e928d579fa0c5e6d
Opcode Fuzzy Hash: 3b6f70a93ae0d0ef3cf1d7c4c7560530cf403d815fcfde3b014774c1094c942e
Instruction Fuzzy Hash: EF518035724122AFDB04DF3EC888A6EBBE9BF4C650B0544A9E506CB261EB39DC018B50

Uniqueness

Uniqueness Score: -1.00%

Function 012254F0, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d41606344536d35112fda3e11bfb08a0df5f46284b7866424cf93b35a86fd6
Instruction ID: 14b2e2657bf7485f63fd09b43c4c4868757838288eb834a338188cf52071c82a
Opcode Fuzzy Hash: d3d41606344536d35112fda3e11bfb08a0df5f46284b7866424cf93b35a86fd6
Instruction Fuzzy Hash: F54193313111259FCB159F68E854ABE3BF2EF95211F058469F90ACB351DB39CC62CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01222618, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25affec129b4b5de4139e555f4cacd15c70ff2ba68c5c01aa61fd77a35341bd9
Instruction ID: 2c9605d037fff03ec23d4e79503145e5f7ad39f2584071bc93d980bff39c518b
Opcode Fuzzy Hash: 25affec129b4b5de4139e555f4cacd15c70ff2ba68c5c01aa61fd77a35341bd9
Instruction Fuzzy Hash: 72411231A14219EFCB25DF64C804BBEBBF6EB84304F04802AE9159B251CB7ADD55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122B690, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca66cea861ecd635545e2b664fad14bc4ee203193d85c4ec04cf96fae1659ecd
Instruction ID: 5c0f94a40377a2e04147899280f72d76c9036f6e9f4fe238678bb3dc72aeae26
Opcode Fuzzy Hash: ca66cea861ecd635545e2b664fad14bc4ee203193d85c4ec04cf96fae1659ecd
Instruction Fuzzy Hash: 8141D031B142119FC745DF78D8486AE7BF1EF8A310B0984B6D909DB396EB38CC068B51

Uniqueness

Uniqueness Score: -1.00%

Function 012238D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649dc66a42bdd30abc08bcaed3a4dcd02c3521011db45e7d7a539e41c8f0d14b
Instruction ID: 9f48d099d584d149c8387eb3aace993f3c88806f7850ad2eb4b68bb2ac18fa4c
Opcode Fuzzy Hash: 649dc66a42bdd30abc08bcaed3a4dcd02c3521011db45e7d7a539e41c8f0d14b
Instruction Fuzzy Hash: 234128747202259FCB14DF69C888BAE7BB5BB8D310F000069FA068B3A1CB75DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012214A8, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5417578bd1ec3aa4336e85f8e10665e9f75377e2569e2ca9384f95c6a57037b
Instruction ID: 45f1a40ab6934dde3507ac85246c3fa9438f8fa93530c24ed0cea887d431dd68
Opcode Fuzzy Hash: f5417578bd1ec3aa4336e85f8e10665e9f75377e2569e2ca9384f95c6a57037b
Instruction Fuzzy Hash: 5B41823131111AAFCF02AF69E854AAE7BE6FB89300F044065FE0697255CB39CD32DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0122B808, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39587e284ae4777b00117b7d9849298c60c002eb8e5f323e3c162ab7ad10d3d6
Instruction ID: 25eff9bcf592be8c544dc0cde939952f1b40418bb8b394f96c5dff28e70ef5b0
Opcode Fuzzy Hash: 39587e284ae4777b00117b7d9849298c60c002eb8e5f323e3c162ab7ad10d3d6
Instruction Fuzzy Hash: DE31A430B102169FDB54AFB4D4246AEBBE2AF88204B158429D516EF794DF74DC05CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0122B7F9, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bf27b1da915ce7c71d80565d69cc393d240c9c58c18bf613361074896567d5
Instruction ID: a5568b64fe1ae02e953d95fc7166dd622a5d98eefc814fd1da9cc2900e45568a
Opcode Fuzzy Hash: 12bf27b1da915ce7c71d80565d69cc393d240c9c58c18bf613361074896567d5
Instruction Fuzzy Hash: 7331E770B102129FCB54AF74D0246AE77F2AF88204B158429D116EF794EF74DC05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0122AEA8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c51efea6a987957138876c41e809daa5a2bab3184a0415a2bac5e21c9f490ef
Instruction ID: 705acac5027ee108890280ac2828ca1670cc00fcd0673625667c52c4e7a1e1d7
Opcode Fuzzy Hash: 4c51efea6a987957138876c41e809daa5a2bab3184a0415a2bac5e21c9f490ef
Instruction Fuzzy Hash: 5D310670B201239BCF21EAACD49066EB362FB85310F154839D52ADBF81D73EDD468792

Uniqueness

Uniqueness Score: -1.00%

Function 01223D18, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567f7ed21d4f02751546d746f3fa4949fb89734d635fa6714a9b8184b3c474f6
Instruction ID: 3089daec4053b43b268fb11ccb496162c2ac187e86e2c84784e55471af97ee45
Opcode Fuzzy Hash: 567f7ed21d4f02751546d746f3fa4949fb89734d635fa6714a9b8184b3c474f6
Instruction Fuzzy Hash: BC21C5303202266BDB25A629C49467E7A9BBFC9614F144079EA03DB795EF7DCC429382

Uniqueness

Uniqueness Score: -1.00%

Function 0122E480, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bde17cff79642284724dbe5c837910f4945b6a0862f3b5ae642f52b0321ce8c
Instruction ID: 08845544a75293f9290adbd5a14f9bdc2ba2dd0451d70b3400c5d8cfa17a2936
Opcode Fuzzy Hash: 9bde17cff79642284724dbe5c837910f4945b6a0862f3b5ae642f52b0321ce8c
Instruction Fuzzy Hash: 55216A317252619FC305963CA804BBA3BE6CFD5711F0A84BBD509C7292FAA9CC168701

Uniqueness

Uniqueness Score: -1.00%

Function 01223D09, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347f7a1a4c76b3591095dc79e386a56ba2fcb35959f9a73e3ef3e85c35f34930
Instruction ID: bc95246b12a3b91836a628456d037c2873798446c80115b5e5904ad497851faf
Opcode Fuzzy Hash: 347f7a1a4c76b3591095dc79e386a56ba2fcb35959f9a73e3ef3e85c35f34930
Instruction Fuzzy Hash: 11212F303203265BDB25A739949463D3A97BFCD514B044079EA03DB7D5DF3DC8019382

Uniqueness

Uniqueness Score: -1.00%

Function 01223C10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1acf81ccf3df3ae016a8f6ab17306f3f778ecfa6c0fee5989ed8f67a3a0dff46
Instruction ID: a7f6e24a39dbc80a072df3f609c19673a986d7e753cff5d7e9ec7b036cbc6f7b
Opcode Fuzzy Hash: 1acf81ccf3df3ae016a8f6ab17306f3f778ecfa6c0fee5989ed8f67a3a0dff46
Instruction Fuzzy Hash: 61218671734266AFDB11CE7B9844A6F7BEAFB89250F054426F906C7241DB79CD40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0122AB10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3766326f86759b11b1a90a96e24479d339d976049c3e9250d024d3acf25b460
Instruction ID: 4f989548e3c437ed3c0062907ba9d077c4402b19b706cb6315296e1da0de7855
Opcode Fuzzy Hash: c3766326f86759b11b1a90a96e24479d339d976049c3e9250d024d3acf25b460
Instruction Fuzzy Hash: 6E31D170E102169FCB05CFA8D9846DDBBF2EF89314F18847AD504EBA52E334D846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0122F640, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3cc78ee40ef1f7cf344d2539319b0168b0159aedb900af2a24537e9d4815b1
Instruction ID: dad41c310f556c24d57fa1298c7a96d2d13c33876ec7fcaefbd84b17bf9938bb
Opcode Fuzzy Hash: 4d3cc78ee40ef1f7cf344d2539319b0168b0159aedb900af2a24537e9d4815b1
Instruction Fuzzy Hash: E231F270B102228FCB45EF78D400AAE7BF1EF89210B5584BAD509E7361EB38DC058B51

Uniqueness

Uniqueness Score: -1.00%

Function 0122D1A1, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98feb0f7c5abda9dfed6cdecfeea9f5f78f26b7f8568c3ef6e998152dc531df8
Instruction ID: 0aa3a49ee5559009cfac9c6fbf2fd10b69b24b6dcaaf4c70fbbdd2615fed176c
Opcode Fuzzy Hash: 98feb0f7c5abda9dfed6cdecfeea9f5f78f26b7f8568c3ef6e998152dc531df8
Instruction Fuzzy Hash: 3521B170B202269FCB41EBB8D800AAE77F1EF89610B158576D509E7755EB38DC068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0122D081, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e931a40b320ec87a313e608d73640b80bf660f6b78b4f3b2be3becbb728dbecd
Instruction ID: fd46dee47646452d2ccf54ef715aa4b04cfc415074c7c7d2df2cf1e26a70c85b
Opcode Fuzzy Hash: e931a40b320ec87a313e608d73640b80bf660f6b78b4f3b2be3becbb728dbecd
Instruction Fuzzy Hash: FD219170F202258FCB41EFB8C445AAE77F1FB98210B51887AD509E7751EB389D068B51

Uniqueness

Uniqueness Score: -1.00%

Function 0158D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.467443917.000000000158D000.00000040.00000001.sdmp, Offset: 0158D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2baf1567900a22fa836e58e1fdbd1a986160429d19def30132b97b3eb20440
Instruction ID: 4a9d31c2c6b7be780c494e60d66cbb49275c289e63f2478b7eb3d5fa2a7e3b2b
Opcode Fuzzy Hash: be2baf1567900a22fa836e58e1fdbd1a986160429d19def30132b97b3eb20440
Instruction Fuzzy Hash: 6B210071504240EFDB01EF58D9C0F6ABBB5FB88224F248569E9055F296C376E816CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122DEFF, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285c898351481136c28aa7826602e9e3dec1ec641cac71a3a9aa18a9e8ee1ed5
Instruction ID: 4ab8c6cf15ee247bfb9a3d12426d087a87779293539d43915da25e21ac7adaa5
Opcode Fuzzy Hash: 285c898351481136c28aa7826602e9e3dec1ec641cac71a3a9aa18a9e8ee1ed5
Instruction Fuzzy Hash: 1B2101B0F102058FDB41EBB88904AAEB7F5EFA4310F018976D549EB345FA38DC068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0159D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.467486738.000000000159D000.00000040.00000001.sdmp, Offset: 0159D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f6f5f1f16c30abf2ce781ea236d0a6edc25af2332785a68eb638c670afb57f
Instruction ID: bef84c88c69b9f2f35218e4aa01df341e8b1e96bb09d20e6b29a0b5dd419abd8
Opcode Fuzzy Hash: 92f6f5f1f16c30abf2ce781ea236d0a6edc25af2332785a68eb638c670afb57f
Instruction Fuzzy Hash: 9221FF75604240DFDF15DFA4D9C0B2ABBB5FB84254F24C969E80A4F246D33BD806CA62

Uniqueness

Uniqueness Score: -1.00%

Function 012219E0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3261636ac449f248e4ec12615bd043d68f81c375620e0175b555f565ac527c22
Instruction ID: 38dcaa5ef6b08609862bb6162b0dbdbc2280f557e18955c027469303f0a7e31f
Opcode Fuzzy Hash: 3261636ac449f248e4ec12615bd043d68f81c375620e0175b555f565ac527c22
Instruction Fuzzy Hash: CE11E3353126229BD719AB29D494A7E7BE2EF856A5F184078EA06CB354DF34DC11C780

Uniqueness

Uniqueness Score: -1.00%

Function 0159D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.467486738.000000000159D000.00000040.00000001.sdmp, Offset: 0159D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c3af23acc70eb9065f45ccf9263f6b47bf1e412c149429aa615a2374de5afc
Instruction ID: 57cdd1fbf681170d8de42607ba2d5651bc3cafb6a62d683ad5203e7adefed1a6
Opcode Fuzzy Hash: 60c3af23acc70eb9065f45ccf9263f6b47bf1e412c149429aa615a2374de5afc
Instruction Fuzzy Hash: 05219F755093808FDB03CF24D990B15BF71FB46214F28C5EAD8498F6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012219F0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d8b53e2b99ab4a9abc1520a5b018000513e99bb85e193d440aba37b7a1e757
Instruction ID: f28e27e404e0398a82086b3fd25ebe366209e9cd77eda24351f5bfff54ce500e
Opcode Fuzzy Hash: c7d8b53e2b99ab4a9abc1520a5b018000513e99bb85e193d440aba37b7a1e757
Instruction Fuzzy Hash: 8511E1313126229BD729AA29C45493EB7E6FFC86A17154078EA06CB354DF30DC12C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0158D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.467443917.000000000158D000.00000040.00000001.sdmp, Offset: 0158D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01c435ae5d42b7d36ca4077b1cfa8425bf2c0d5b74066c90e0bd1c1ef6731ee
Instruction ID: 36cd2c09af1ff81a06c65ce4fbc33c12f336c53852b1c48e02ca2482388c37b5
Opcode Fuzzy Hash: c01c435ae5d42b7d36ca4077b1cfa8425bf2c0d5b74066c90e0bd1c1ef6731ee
Instruction Fuzzy Hash: A611AF76404280DFDB12DF54D5C4B1ABFB1FB84324F2486AAD8091B657C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01225448, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52aa79ca2d9e8561992e76162290aae8c7d9ce03d989d0e393a58c6ccfa2fc37
Instruction ID: 57eba641f90f09e5986ba10c7cf5042bb2853b9d5077575179b274f1113a56d3
Opcode Fuzzy Hash: 52aa79ca2d9e8561992e76162290aae8c7d9ce03d989d0e393a58c6ccfa2fc37
Instruction Fuzzy Hash: 37114F75E0122A9FCB01EFA9D9449EEFBF5FB48201F10842AE915E3245D7748A15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012214F0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fefb00ab7c57cf10136384459366a0886b3cc5fc06767551e917fd6b352e686
Instruction ID: 4aa9a44cc1f381ec63a686887fe685db41f0dff9fe51df42001277bd9e14931c
Opcode Fuzzy Hash: 6fefb00ab7c57cf10136384459366a0886b3cc5fc06767551e917fd6b352e686
Instruction Fuzzy Hash: 7511703161012AAFCB119F28E444AAE7BF5FB88310F044075FA0697211CB78CD75CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0122D0E0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5288dcc29eb9496f586f379d3238d6b13fd47304912ef0d741a66f900ed0ee25
Instruction ID: 176472f83f88112f223ee4304bc2ba7ef2fe3ebde45c039372bea4d2a861ff56
Opcode Fuzzy Hash: 5288dcc29eb9496f586f379d3238d6b13fd47304912ef0d741a66f900ed0ee25
Instruction Fuzzy Hash: 04113C70F201259F8B40EFB8C8459AEBBF1FFC86107518469D509E7354EB38AD018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122B738, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d418de810f36cab7d55c0daa1205bfe144f960530b65c731f4d103e57a3ab60
Instruction ID: d256d70e57f2d653c59a19e2d4cef2861608691b3ea5c4d3b0e5549e9c0017a4
Opcode Fuzzy Hash: 8d418de810f36cab7d55c0daa1205bfe144f960530b65c731f4d103e57a3ab60
Instruction Fuzzy Hash: 43117334F102259F8B40EFB8D849AAEBBF5FB8D6117058425E90AE7344EF349C02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01221628, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109456797982f7d8fe782b19886c47f558df2843b15094a8ad2af3e26aa67002
Instruction ID: f131b4eea54110d47f6e8628763bce994e2b9765ae4ab4fdf70f62074db5fc7e
Opcode Fuzzy Hash: 109456797982f7d8fe782b19886c47f558df2843b15094a8ad2af3e26aa67002
Instruction Fuzzy Hash: DB0175327011196FDB15AE69D801BFF3BEBEBC8650F198029F605D7244DB75C9129790

Uniqueness

Uniqueness Score: -1.00%

Function 0122D200, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac357ca38316c80072eb7e582713039393e399b792a2facee120250a4a6d192
Instruction ID: ac8a2e414533b3647e1905641a9fe4448191a01bcb0b9e24c374de18e02de02d
Opcode Fuzzy Hash: bac357ca38316c80072eb7e582713039393e399b792a2facee120250a4a6d192
Instruction Fuzzy Hash: 1D115E70F202259F8B40EFB8D8449AEB7F1FF89610751C579D509E7354EB38AD028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122F6A0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311e4834da7125f209a216fb84d57233c95949a2e0552505265add9650f98b87
Instruction ID: 434780fdf0c726412a6434086714a64a26eed7fbd351a92d3ab7ae5d68dbe17d
Opcode Fuzzy Hash: 311e4834da7125f209a216fb84d57233c95949a2e0552505265add9650f98b87
Instruction Fuzzy Hash: C4118B70F201259F8B40EFB8D8409AEB7F2FF886107118579D509E7310EB38AD02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122FED0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4814c8e4d69e542e35215d148927dff01117355beecc69e0b5c0134f521c339
Instruction ID: 7469ce6feda6523d40777552d2fb69f61aabbeba98d6f97fdda957322c8d1d34
Opcode Fuzzy Hash: c4814c8e4d69e542e35215d148927dff01117355beecc69e0b5c0134f521c339
Instruction Fuzzy Hash: 1311053216E3D16FC7036B3498B04D53FB09E5356871A48E7D280CF4A3EA281C4AD7B6

Uniqueness

Uniqueness Score: -1.00%

Function 0122EDC0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485e2bd54b53ad9bcddd960cfd8b288a50f934c5a1750ba1250e5b8d64b30037
Instruction ID: 8b100c8f57444706816eed79eaeb2e0139eafb0ebd5d76518e00b6e6e93cd22c
Opcode Fuzzy Hash: 485e2bd54b53ad9bcddd960cfd8b288a50f934c5a1750ba1250e5b8d64b30037
Instruction Fuzzy Hash: 1CF0C8313102109FD719DB3DE844A6E37B5EF85325B1A49ADF906CB2B2CB71DC518B40

Uniqueness

Uniqueness Score: -1.00%

Function 0122EDD0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249633e689cc25b857cb6549019864f8ebfcba0c5cd3119f49bd0777f92340b0
Instruction ID: aa55648a1774fac8be0f63c26ef90b9392c6d04eff8626cd29b02d397b2494b6
Opcode Fuzzy Hash: 249633e689cc25b857cb6549019864f8ebfcba0c5cd3119f49bd0777f92340b0
Instruction Fuzzy Hash: D8F082353112109FD708AF3AE85893A77EAEFC862170584B9F506CB371CE61DC018790

Uniqueness

Uniqueness Score: -1.00%

Function 0122FF02, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b7c76a93a63616fa7cdde7e0db649213f4dd8c86dd17294407447ac5228cb8
Instruction ID: 96f0cb352a84d92a351fd4fd739724822f467f63e2ec8ae9d3f7a22aaae2f2a7
Opcode Fuzzy Hash: 85b7c76a93a63616fa7cdde7e0db649213f4dd8c86dd17294407447ac5228cb8
Instruction Fuzzy Hash: AEF0173121E3806FC703AB74A8701D53F749F5322971A48E7D180CF4A3EA69280AD7B6

Uniqueness

Uniqueness Score: -1.00%

Function 0122AA98, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116a15df7a6e7dad8d9702396196cd54dd26d63dfdeebc94c2a214f1c600b76e
Instruction ID: c3364e50cb6dba129aaa93d24db725d12426cfa14a147bdc67cefa8c38871c9a
Opcode Fuzzy Hash: 116a15df7a6e7dad8d9702396196cd54dd26d63dfdeebc94c2a214f1c600b76e
Instruction Fuzzy Hash: E3E0E5F7E102158FC744DFBC99056AE7BF4BB5C211B010966D519E3300F6304941CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0122D13F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abba1716f69c63ec7d3f5f7395daa6c9b5888d9b788f5d50a7d0b073a5a0c3c
Instruction ID: 2b7e6b95665c58bb7f8ba0c8eef7cb7e8e96cdd0a0f2ee3026feedf692f75c8e
Opcode Fuzzy Hash: 5abba1716f69c63ec7d3f5f7395daa6c9b5888d9b788f5d50a7d0b073a5a0c3c
Instruction Fuzzy Hash: 81E0ED35B200259B8F04EBB8D8458EDB7F1FF8C1157158065D60AE7358EF38AC01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0122F5DF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68ab698123009cb3601f8d1389cbf4d3a7363db6624121a1c07245c4679874c
Instruction ID: ce84778e13d747acc99f177d3af366669ccb3c430eb17065fa9d6647f6295670
Opcode Fuzzy Hash: f68ab698123009cb3601f8d1389cbf4d3a7363db6624121a1c07245c4679874c
Instruction Fuzzy Hash: 86E0ED35B200259B9F00EBB8D4558ADB3F1FF8C215B458065D60AE7364DE38AD01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0122B799, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31dc40258202a7a301cc23f3be418daa969566187fa61370431eec317d7f0e7a
Instruction ID: 1f439c0f065421246dc0442f07ffe64e51199af964d755b5e57a36a0cf844391
Opcode Fuzzy Hash: 31dc40258202a7a301cc23f3be418daa969566187fa61370431eec317d7f0e7a
Instruction Fuzzy Hash: 88E0E539B141259B8F44EBB8D84959DB7F1FF8C2257058065E50AD7358DF345C01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0122D25F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdc556fafe4caf47e1f5119d8db6d00492726487d32bc895bedac5c63c3fd87
Instruction ID: eb678c20d1f71fa9539c423baf27e876686e972771f5827e7f4e9c723b7b2d25
Opcode Fuzzy Hash: dfdc556fafe4caf47e1f5119d8db6d00492726487d32bc895bedac5c63c3fd87
Instruction Fuzzy Hash: 70E0ED35B201259B8F00FBB8D8458ADB3F1EF8C125715C165D60AE7358DF38AC01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0122AAA8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cd33821aff1350a40dd736bfdf4f91614f3798320235376879138b0c7aa0cd
Instruction ID: 38433922eaece7d11cce3704f4b0f9be78c8b86c092bd92c4fa9fcd4c0d8672d
Opcode Fuzzy Hash: 04cd33821aff1350a40dd736bfdf4f91614f3798320235376879138b0c7aa0cd
Instruction Fuzzy Hash: 49E01275E141199F8750DBBD99055AE7BF9EA8C211B050476E519E3200EA704901CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0122F6FF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b719388d7cb2ace2ae7883acdd81d0528b0dae6b8c43f578e409d7cc8fc028
Instruction ID: 2fafcb412cf09a44ec470228fccbe1c020c468e5a0afd8f6d607c9a1d58cf3d5
Opcode Fuzzy Hash: 81b719388d7cb2ace2ae7883acdd81d0528b0dae6b8c43f578e409d7cc8fc028
Instruction Fuzzy Hash: 02E0ED35B200259B8F04EBB8D4458ADB3F1EF9C1157158065D60AE7354DF38AD01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01221D70, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdd6ff88db1b171e4ffd9e7427ae6564bfe7502b7ef0b530dde66c4b9e0a69e
Instruction ID: 5e84b79ab251d2a6406ae8da96ee32d434f0ae8888a785fa7b4ffdc5a037a560
Opcode Fuzzy Hash: dfdd6ff88db1b171e4ffd9e7427ae6564bfe7502b7ef0b530dde66c4b9e0a69e
Instruction Fuzzy Hash: 58D02E3020820A06D7C0BF60FC02352379AA3C2148F08CC31E0009AA29EF7C8C08CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01221D80, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0f7b97f1a087483fc5ce56df0c6bbbcff079541bd182013bf0ee9e4c181e28
Instruction ID: e3281c7b7afcc4dc5304baab837c1dfc2c3e44af1805c41c227dc0bc2bf90208
Opcode Fuzzy Hash: 1e0f7b97f1a087483fc5ce56df0c6bbbcff079541bd182013bf0ee9e4c181e28
Instruction Fuzzy Hash: BDC0123020820647C5C0BFA4F851415335AA6C1508348CD31E1045A628DF7C9D55D796

Uniqueness

Uniqueness Score: -1.00%

Function 0122FF30, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dba63c0e1e462d021ae9f83ee288181c4968177cd314f3d74886f81e262601
Instruction ID: 71736e3cb9ba74b1fa57bb50e9e17c1b4755aa1eb2f02ac9e113e52402d1095a
Opcode Fuzzy Hash: f5dba63c0e1e462d021ae9f83ee288181c4968177cd314f3d74886f81e262601
Instruction Fuzzy Hash: 60C0123031430862D600BFA0E420A98330A8BC0B1CF4A8C71D7048AAA0AF7C7C09EAB6

Uniqueness

Uniqueness Score: -1.00%

Function 01225721, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.464748639.0000000001220000.00000040.00000001.sdmp, Offset: 01220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd9a13d830b502809ae0cfb3d25a41af532eef521faa372e1c58d9b158c6265
Instruction ID: 691ba1f400ee00a3028f7d1a96f8e939b158ffec1e324724528ecc28bdde0279
Opcode Fuzzy Hash: 9cd9a13d830b502809ae0cfb3d25a41af532eef521faa372e1c58d9b158c6265
Instruction Fuzzy Hash: 32C04C36F25528EB5B00DEC8A4410DCB3A5EB88579B10C057D51992640D7B15B298A96

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Copyofreceipt.scr

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre