Play interactive tour

Edit tour

Analysis Report receipt.exe

Overview

General Information

Sample Name:	receipt.exe
Analysis ID:	357256
MD5:	a4a4bc6e3283ecc66cd4a4dc864acd9a
SHA1:	2114e1c9fbbc3ffa9921338e09deff202aba01bf
SHA256:	962debf4655a7917256ad3234217b1927a2c88afd4631ed8258121c5b9e2dfee
Tags:	exeNanoCoreRATUSPS
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

receipt.exe (PID: 7032 cmdline: 'C:\Users\user\Desktop\receipt.exe' MD5: A4A4BC6E3283ECC66CD4A4DC864ACD9A)

schtasks.exe (PID: 5728 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6664 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

RegSvcs.exe (PID: 6632 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

dhcpmon.exe (PID: 6296 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9d885:$x1: NanoCore.ClientPluginHost 0x9d8c2:$x2: IClientNetworkHost 0xa13f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9d5ed:$a: NanoCore 0x9d5fd:$a: NanoCore 0x9d831:$a: NanoCore 0x9d845:$a: NanoCore 0x9d885:$a: NanoCore 0x9d64c:$b: ClientPlugin 0x9d84e:$b: ClientPlugin 0x9d88e:$b: ClientPlugin 0x9d773:$c: ProjectData 0x9e17a:$d: DESCrypto 0xa5b46:$e: KeepAlive 0xa3b34:$g: LogClientMessage 0x9fd2f:$i: get_Connected 0x9e4b0:$j: #=q 0x9e4e0:$j: #=q 0x9e4fc:$j: #=q 0x9e52c:$j: #=q 0x9e548:$j: #=q 0x9e564:$j: #=q 0x9e594:$j: #=q 0x9e5b0:$j: #=q
00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1fe0ad:$x1: NanoCore.ClientPluginHost 0x1fe0ea:$x2: IClientNetworkHost 0x201c1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1fde15:$a: NanoCore 0x1fde25:$a: NanoCore 0x1fe059:$a: NanoCore 0x1fe06d:$a: NanoCore 0x1fe0ad:$a: NanoCore 0x1fde74:$b: ClientPlugin 0x1fe076:$b: ClientPlugin 0x1fe0b6:$b: ClientPlugin 0x1452f6:$c: ProjectData 0x1fdf9b:$c: ProjectData 0x1fe9a2:$d: DESCrypto 0x20636e:$e: KeepAlive 0x20435c:$g: LogClientMessage 0x200557:$i: get_Connected 0x1fecd8:$j: #=q 0x1fed08:$j: #=q 0x1fed24:$j: #=q 0x1fed54:$j: #=q 0x1fed70:$j: #=q 0x1fed8c:$j: #=q 0x1fedbc:$j: #=q
Process Memory Space: receipt.exe PID: 7032	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x148b5a:$x1: NanoCore.ClientPluginHost 0x28c45b:$x1: NanoCore.ClientPluginHost 0x148bbb:$x2: IClientNetworkHost 0x28c4bc:$x2: IClientNetworkHost 0x14dfc0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x15bf32:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2918c1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x29f833:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: receipt.exe PID: 7032	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: receipt.exe PID: 7032	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14865f:$a: NanoCore 0x14867b:$a: NanoCore 0x1487d6:$a: NanoCore 0x1487e5:$a: NanoCore 0x148abe:$a: NanoCore 0x148aea:$a: NanoCore 0x148b5a:$a: NanoCore 0x15859c:$a: NanoCore 0x1585ae:$a: NanoCore 0x1585ea:$a: NanoCore 0x28bf60:$a: NanoCore 0x28bf7c:$a: NanoCore 0x28c0d7:$a: NanoCore 0x28c0e6:$a: NanoCore 0x28c3bf:$a: NanoCore 0x28c3eb:$a: NanoCore 0x28c45b:$a: NanoCore 0x29be9d:$a: NanoCore 0x29beaf:$a: NanoCore 0x29beeb:$a: NanoCore 0x148706:$b: ClientPlugin
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.receipt.exe.3c85f20.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.receipt.exe.3c85f20.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.receipt.exe.3c85f20.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.receipt.exe.3c85f20.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.receipt.exe.3c85f20.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.receipt.exe.3c85f20.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.receipt.exe.3c85f20.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.receipt.exe.3f268d8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9cfad:$x1: NanoCore.ClientPluginHost 0x9cfea:$x2: IClientNetworkHost 0xa0b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.receipt.exe.3f268d8.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.receipt.exe.3f268d8.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9cd15:$a: NanoCore 0x9cd25:$a: NanoCore 0x9cf59:$a: NanoCore 0x9cf6d:$a: NanoCore 0x9cfad:$a: NanoCore 0x9cd74:$b: ClientPlugin 0x9cf76:$b: ClientPlugin 0x9cfb6:$b: ClientPlugin 0x9ce9b:$c: ProjectData 0x9d8a2:$d: DESCrypto 0xa526e:$e: KeepAlive 0xa325c:$g: LogClientMessage 0x9f457:$i: get_Connected 0x9dbd8:$j: #=q 0x9dc08:$j: #=q 0x9dc24:$j: #=q 0x9dc54:$j: #=q 0x9dc70:$j: #=q 0x9dc8c:$j: #=q 0x9dcbc:$j: #=q 0x9dcd8:$j: #=q
0.2.receipt.exe.3b85e70.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x11023d:$x1: NanoCore.ClientPluginHost 0x11027a:$x2: IClientNetworkHost 0x113dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.receipt.exe.3b85e70.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.receipt.exe.3b85e70.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10ffa5:$a: NanoCore 0x10ffb5:$a: NanoCore 0x1101e9:$a: NanoCore 0x1101fd:$a: NanoCore 0x11023d:$a: NanoCore 0x110004:$b: ClientPlugin 0x110206:$b: ClientPlugin 0x110246:$b: ClientPlugin 0x57486:$c: ProjectData 0x11012b:$c: ProjectData 0x110b32:$d: DESCrypto 0x1184fe:$e: KeepAlive 0x1164ec:$g: LogClientMessage 0x1126e7:$i: get_Connected 0x110e68:$j: #=q 0x110e98:$j: #=q 0x110eb4:$j: #=q 0x110ee4:$j: #=q 0x110f00:$j: #=q 0x110f1c:$j: #=q 0x110f4c:$j: #=q
Click to see the 8 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6632, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\receipt.exe' , ParentImage: C:\Users\user\Desktop\receipt.exe, ParentProcessId: 7032, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp', ProcessId: 5728

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CjkDta.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Show sources

Source: receipt.exe	Virustotal: Detection: 43%			Perma Link
Source: receipt.exe	ReversingLabs: Detection: 31%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY
Source: Yara match	File source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CjkDta.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: receipt.exe

Joe Sandbox ML: detected

Source: 0.2.receipt.exe.410000.0.unpack

Avira: Label: TR/Crypt.XPACK.Gen3

Compliance:

Uses 32bit PE files

Show sources

Source: receipt.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\receipt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: receipt.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
Source:	Binary string: mscorrc.pdb source: receipt.exe, 00000000.00000002.699989873.0000000005A60000.00000002.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49736 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49746 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49761 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49762 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49774 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 45.15.143.249:7890
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 45.15.143.249:7890

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 45.15.143.249:7890

Source: Joe Sandbox View

ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS

Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.143.249

Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: receipt.exe, 00000000.00000003.648538472.00000000052B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: receipt.exe, 00000000.00000003.648039451.00000000052B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: receipt.exe, 00000000.00000003.648097931.00000000052B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coma
Source: receipt.exe, 00000000.00000003.648538472.00000000052B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comel
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: receipt.exe, 00000000.00000003.651051823.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: receipt.exe, 00000000.00000003.660320142.00000000052B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers$
Source: receipt.exe, 00000000.00000003.651023261.00000000052BF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: receipt.exe, 00000000.00000003.652003773.00000000052AE000.00000004.00000001.sdmp, receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: receipt.exe, 00000000.00000003.655160906.00000000052BF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersE
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: receipt.exe, 00000000.00000003.651625918.00000000052BF000.00000004.00000001.sdmp, receipt.exe, 00000000.00000003.651542933.00000000052BF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: receipt.exe, 00000000.00000003.651099578.00000000052BF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers_
Source: receipt.exe, 00000000.00000003.654447369.00000000052BF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~
Source: receipt.exe, 00000000.00000003.652761536.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comE.TTF
Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: receipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI
Source: receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: receipt.exe, 00000000.00000003.654868204.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsF
Source: receipt.exe, 00000000.00000003.652420790.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come
Source: receipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comepko
Source: receipt.exe, 00000000.00000003.651507255.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coml1
Source: receipt.exe, 00000000.00000003.651125862.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comldf;
Source: receipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comldu
Source: receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: receipt.exe, 00000000.00000003.653260424.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm;
Source: receipt.exe, 00000000.00000003.653260424.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsief
Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiva
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: receipt.exe, 00000000.00000003.647713348.00000000052AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: receipt.exe, 00000000.00000003.647614140.00000000052AF000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn:
Source: receipt.exe, 00000000.00000003.647816511.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnTN(
Source: receipt.exe, 00000000.00000003.656612702.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: receipt.exe, 00000000.00000003.656612702.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/I
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/%
Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: receipt.exe, 00000000.00000003.649098670.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Curs%
Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/I
Source: receipt.exe, 00000000.00000003.649496258.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/V
Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0tr
Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/anaz
Source: receipt.exe, 00000000.00000003.649496258.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/;
Source: receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/m
Source: receipt.exe, 00000000.00000003.659671357.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: receipt.exe, 00000000.00000003.649702876.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comt=
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: receipt.exe, 00000000.00000003.648660858.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comN==0
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: receipt.exe, 00000000.00000003.651014423.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deC
Source: receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deFTm=
Source: receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deN==0
Source: receipt.exe, 00000000.00000003.648039451.00000000052B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: receipt.exe, 00000000.00000003.647991891.00000000052B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY
Source: Yara match	File source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

PE file contains section with special chars

Show sources

Source: receipt.exe	Static PE information: section name: 3(G7gV
Source: CjkDta.exe.0.dr	Static PE information: section name: 3(G7gV

PE file has nameless sections

Show sources

Source: receipt.exe	Static PE information: section name:
Source: CjkDta.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_00B9ABEE NtQuerySystemInformation,		0_2_00B9ABEE
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_00B9ABB3 NtQuerySystemInformation,		0_2_00B9ABB3

Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_00B92477	0_2_00B92477
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C63CA0	0_2_04C63CA0
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C624A8	0_2_04C624A8
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C6A050	0_2_04C6A050
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C62DF3	0_2_04C62DF3
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C61D98	0_2_04C61D98
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C6854B	0_2_04C6854B
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C612A3	0_2_04C612A3
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C69BA8	0_2_04C69BA8
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C63C9B	0_2_04C63C9B
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C65440	0_2_04C65440
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C6944B	0_2_04C6944B
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C6887C	0_2_04C6887C
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C6543B	0_2_04C6543B
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C649C3	0_2_04C649C3
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C68DC3	0_2_04C68DC3
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C68DC8	0_2_04C68DC8
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C649C8	0_2_04C649C8
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C659F8	0_2_04C659F8
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C61D8B	0_2_04C61D8B
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C60128	0_2_04C60128
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C65A08	0_2_04C65A08
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C6961B	0_2_04C6961B
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C68A22	0_2_04C68A22
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C69620	0_2_04C69620
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C65E28	0_2_04C65E28
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C65E38	0_2_04C65E38
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C65FC9	0_2_04C65FC9
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C65BE3	0_2_04C65BE3
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C65BE8	0_2_04C65BE8
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C687F3	0_2_04C687F3
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C687F8	0_2_04C687F8
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04FCBA08	0_2_04FCBA08
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04FC7790	0_2_04FC7790
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04FC6C20	0_2_04FC6C20
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04FC7210	0_2_04FC7210
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04FCC750	0_2_04FCC750
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_086D5970	0_2_086D5970
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_086D006B	0_2_086D006B
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_086D0070	0_2_086D0070
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_086D5960	0_2_086D5960
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_086D1B27	0_2_086D1B27

Source: receipt.exe	Binary or memory string: OriginalFilename vs receipt.exe
Source: receipt.exe, 00000000.00000002.703722345.00000000087E0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs receipt.exe
Source: receipt.exe, 00000000.00000002.699989873.0000000005A60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs receipt.exe
Source: receipt.exe, 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename4 vs receipt.exe
Source: receipt.exe, 00000000.00000002.699337341.0000000005110000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs receipt.exe
Source: receipt.exe, 00000000.00000002.693730770.0000000002A41000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs receipt.exe
Source: receipt.exe, 00000000.00000002.703631857.0000000008690000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs receipt.exe
Source: receipt.exe, 00000000.00000002.703631857.0000000008690000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs receipt.exe
Source: receipt.exe	Binary or memory string: OriginalFilename4 vs receipt.exe

Source: C:\Users\user\Desktop\receipt.exe

Section loaded: onecoreuapcommonproxystub.dll

Jump to behavior

Source: receipt.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: receipt.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CjkDta.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: receipt.exe	Static PE information: Section: 3(G7gV ZLIB complexity 1.00040097268
Source: CjkDta.exe.0.dr	Static PE information: Section: 3(G7gV ZLIB complexity 1.00040097268

Source: receipt.exe, 00000000.00000003.648822422.00000000052AC000.00000004.00000001.sdmp

Binary or memory string: DYu Type Library is a Trademark of JIYUKOBO Ltd. registered in Japan.slnt

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/11@0/1

Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_00B9A592 AdjustTokenPrivileges,		0_2_00B9A592
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_00B9A55B AdjustTokenPrivileges,		0_2_00B9A55B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe

File created: C:\Users\user\AppData\Roaming\CjkDta.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_01
Source: C:\Users\user\Desktop\receipt.exe	Mutant created: \Sessions\1\BaseNamedObjects\dyOTlUQYOFXIogRwP
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{e77d3ae2-5d58-46f0-8bbe-00fca4f52942}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_01

Source: C:\Users\user\Desktop\receipt.exe

File created: C:\Users\user\AppData\Local\Temp\tmp15FF.tmp

Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: receipt.exe	Virustotal: Detection: 43%
Source: receipt.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\receipt.exe

File read: C:\Users\user\Desktop\receipt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\receipt.exe 'C:\Users\user\Desktop\receipt.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\receipt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\receipt.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: receipt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\receipt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: receipt.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
Source:	Binary string: mscorrc.pdb source: receipt.exe, 00000000.00000002.699989873.0000000005A60000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\receipt.exe

Unpacked PE file: 0.2.receipt.exe.410000.0.unpack 3(G7gV:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: receipt.exe	Static PE information: section name: 3(G7gV
Source: receipt.exe	Static PE information: section name:
Source: CjkDta.exe.0.dr	Static PE information: section name: 3(G7gV
Source: CjkDta.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_00416A34 push edi; retf	0_2_00416A44
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_0041278B push esi; iretd	0_2_00412798
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C60063 push es; ret	0_2_04C6006A
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04C62009 push ss; ret	0_2_04C6200A
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04FC0006 push ebp; ret	0_2_04FC002E
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_04FC358D push ds; retf	0_2_04FC358E
Source: C:\Users\user\Desktop\receipt.exe	Code function: 0_2_086D3753 push ds; retf	0_2_086D375A

Source: initial sample	Static PE information: section name: 3(G7gV entropy: 7.99735306844
Source: initial sample	Static PE information: section name: .text entropy: 7.96127820812
Source: initial sample	Static PE information: section name: 3(G7gV entropy: 7.99735306844
Source: initial sample	Static PE information: section name: .text entropy: 7.96127820812

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\receipt.exe	File created: C:\Users\user\AppData\Roaming\CjkDta.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp'

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (4).png

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\receipt.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 588			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 641			Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe TID: 7052	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7092	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\receipt.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\receipt.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\receipt.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\receipt.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: C1C008	Jump to behavior

Source: C:\Users\user\Desktop\receipt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\receipt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY
Source: Yara match	File source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: receipt.exe, 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: receipt.exe PID: 7032, type: MEMORY
Source: Yara match	File source: 0.2.receipt.exe.3c85f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3c85f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3f268d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.receipt.exe.3b85e70.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading12	OS Credential Dumping	Security Software Discovery13	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	DLL Side-Loading1	Process Injection311	Virtualization/Sandbox Evasion4	LSASS Memory	Virtualization/Sandbox Evasion4	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	DLL Side-Loading1	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection311	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing14	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
receipt.exe	43%	Virustotal		Browse
receipt.exe	31%	ReversingLabs	Win32.Trojan.Wacatac
receipt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\CjkDta.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CjkDta.exe	31%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.receipt.exe.410000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.fontbureau.comI.TTF	0%	URL Reputation	safe
http://www.fontbureau.comI.TTF	0%	URL Reputation	safe
http://www.fontbureau.comI.TTF	0%	URL Reputation	safe
http://www.fontbureau.comI.TTF	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sakkal.comt=	0%	Avira URL Cloud	safe
http://www.tiro.comN==0	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/anaz	0%	Avira URL Cloud	safe
http://www.urwpp.deFTm=	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comepko	0%	URL Reputation	safe
http://www.fontbureau.comepko	0%	URL Reputation	safe
http://www.fontbureau.comepko	0%	URL Reputation	safe
http://www.founder.com.cn/cn:	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0tr	0%	Avira URL Cloud	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnTN(	0%	Avira URL Cloud	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/;	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comldu	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.carterandcone.comel	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deN==0	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com=	0%	Avira URL Cloud	safe
http://www.carterandcone.coma	0%	URL Reputation	safe
http://www.carterandcone.coma	0%	URL Reputation	safe
http://www.carterandcone.coma	0%	URL Reputation	safe
http://www.fontbureau.comI	0%	Avira URL Cloud	safe
http://www.fontbureau.comsiva	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/V	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/I	0%	Avira URL Cloud	safe
http://www.fontbureau.comldf;	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/C	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.galapagosdesign.com/I	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comI.TTF	receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.comt=	receipt.exe, 00000000.00000003.649702876.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.tiro.comN==0	receipt.exe, 00000000.00000003.648660858.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers?	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersE	receipt.exe, 00000000.00000003.655160906.00000000052BF000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/anaz	receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deFTm=	receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.tiro.com	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comepko	receipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn:	receipt.exe, 00000000.00000003.647614140.00000000052AF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0tr	receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com	receipt.exe, 00000000.00000003.648538472.00000000052B4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersP	receipt.exe, 00000000.00000003.651625918.00000000052BF000.00000004.00000001.sdmp, receipt.exe, 00000000.00000003.651542933.00000000052BF000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnTN(	receipt.exe, 00000000.00000003.647816511.00000000052B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com.	receipt.exe, 00000000.00000003.648039451.00000000052B4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comalsF	receipt.exe, 00000000.00000003.654868204.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coml1	receipt.exe, 00000000.00000003.651507255.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/;	receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers_	receipt.exe, 00000000.00000003.651099578.00000000052BF000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/	receipt.exe, 00000000.00000003.651051823.00000000052AE000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comldu	receipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comel	receipt.exe, 00000000.00000003.648538472.00000000052B4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/%	receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.kr	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deN==0	receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.urwpp.deDPlease	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	receipt.exe, 00000000.00000003.648039451.00000000052B4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com=	receipt.exe, 00000000.00000003.652761536.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coma	receipt.exe, 00000000.00000003.648097931.00000000052B4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comI	receipt.exe, 00000000.00000002.699420600.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comsiva	receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	receipt.exe, 00000000.00000003.656612702.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comF	receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/V	receipt.exe, 00000000.00000003.649496258.00000000052B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers~	receipt.exe, 00000000.00000003.654447369.00000000052BF000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/I	receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comldf;	receipt.exe, 00000000.00000003.651125862.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/C	receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comd	receipt.exe, 00000000.00000003.652420790.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/I	receipt.exe, 00000000.00000003.656612702.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deC	receipt.exe, 00000000.00000003.651014423.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/	receipt.exe, 00000000.00000003.647713348.00000000052AF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	receipt.exe, 00000000.00000003.652003773.00000000052AE000.00000004.00000001.sdmp, receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.come	receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comm;	receipt.exe, 00000000.00000003.653260424.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.monotype.	receipt.exe, 00000000.00000003.659671357.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/m	receipt.exe, 00000000.00000003.649569000.00000000052B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers$	receipt.exe, 00000000.00000003.660320142.00000000052B9000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comm	receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	receipt.exe, 00000000.00000003.649726282.00000000052B3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Curs%	receipt.exe, 00000000.00000003.649098670.00000000052B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cno.	receipt.exe, 00000000.00000003.647991891.00000000052B4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	receipt.exe, 00000000.00000002.701125233.0000000005F40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comals	receipt.exe, 00000000.00000003.655351438.00000000052AE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/d	receipt.exe, 00000000.00000003.649496258.00000000052B3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/	receipt.exe, 00000000.00000003.651023261.00000000052BF000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comsief	receipt.exe, 00000000.00000003.653260424.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comE.TTF	receipt.exe, 00000000.00000003.653972981.00000000052AE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.15.143.249	unknown	Latvia		35913	DEDIPATH-LLCUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357256
Start date:	24.02.2021
Start time:	10:51:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	receipt.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/11@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 7% (good quality ratio 3.5%) Quality average: 29.8% Quality standard deviation: 33.4%
HCA Information:	Successful, ratio: 80% Number of executed functions: 144 Number of non-executed functions: 26
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:52:29	API Interceptor	1x Sleep call for process: receipt.exe modified
10:52:44	API Interceptor	815x Sleep call for process: RegSvcs.exe modified
10:52:46	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.15.143.249	oMWv1Zof2y.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DEDIPATH-LLCUS	oMWv1Zof2y.exe	Get hash	malicious	Browse	45.15.143.249
	Vessel Line Up 7105082938.exe	Get hash	malicious	Browse	193.239.147.77
	2-090000000900.exe	Get hash	malicious	Browse	193.239.147.103
	CHT International.exe	Get hash	malicious	Browse	45.145.185.209
	PO 20191003.exe	Get hash	malicious	Browse	45.145.185.209
	SecuriteInfo.com.Trojan.DownloaderNET.117.13478.exe	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.Trojan.DownloaderNET.117.10549.exe	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.Trojan.DownloaderNET.117.21662.exe	Get hash	malicious	Browse	193.239.147.103
	SecuriteInfo.com.Trojan.DownloaderNET.117.16476.exe	Get hash	malicious	Browse	193.239.147.103
	f733jX7bkz.exe	Get hash	malicious	Browse	193.239.147.165
	TfRB8EdIBv.exe	Get hash	malicious	Browse	193.239.147.165
	AmazonSetup.exe	Get hash	malicious	Browse	45.145.185.40
	PO 20191003.exe	Get hash	malicious	Browse	45.145.185.209
	Server.exe	Get hash	malicious	Browse	171.22.116.126
	5tE5R0eVwq.exe	Get hash	malicious	Browse	45.145.185.153
	eYwQ9loD5Q.exe	Get hash	malicious	Browse	45.15.170.154
	SecuriteInfo.com.Trojan.Packed2.42841.8000.exe	Get hash	malicious	Browse	45.145.185.153
	SecuriteInfo.com.Trojan.GenericKD.36275553.12090.doc	Get hash	malicious	Browse	45.145.185.167
	Tax Invoice.exe	Get hash	malicious	Browse	139.28.235.223
	payment_slip_ receipt.doc	Get hash	malicious	Browse	193.239.147.103

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse
	M5QDAaK9yM.exe	Get hash	malicious	Browse
	oMWv1Zof2y.exe	Get hash	malicious	Browse
	TdX45jQWjj.exe	Get hash	malicious	Browse
	QTxFuxF5NQ.exe	Get hash	malicious	Browse
	a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe	Get hash	malicious	Browse
	3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe	Get hash	malicious	Browse
	Vietnam Order.exe	Get hash	malicious	Browse
	Dhl Shipping Document.exe	Get hash	malicious	Browse
	PO-WJO-001, pdf.exe	Get hash	malicious	Browse
	byWuWAR5FD.exe	Get hash	malicious	Browse
	parcel_images.exe	Get hash	malicious	Browse
	0712020.exe	Get hash	malicious	Browse
	JfRbEbUkpV39K4L.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	zC3edqmNNt.exe	Get hash	malicious	Browse
	Shipping Document.pdf..exe	Get hash	malicious	Browse
	PPR & CPR_HEA_DECEMBER 4 2020.exe	Get hash	malicious	Browse
	AdministratorDownloadsBL,.rar.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: YoWPu2BQzA9FeDd.exe, Detection: malicious, Browse Filename: M5QDAaK9yM.exe, Detection: malicious, Browse Filename: oMWv1Zof2y.exe, Detection: malicious, Browse Filename: TdX45jQWjj.exe, Detection: malicious, Browse Filename: QTxFuxF5NQ.exe, Detection: malicious, Browse Filename: a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe, Detection: malicious, Browse Filename: 3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe, Detection: malicious, Browse Filename: Vietnam Order.exe, Detection: malicious, Browse Filename: Dhl Shipping Document.exe, Detection: malicious, Browse Filename: PO-WJO-001, pdf.exe, Detection: malicious, Browse Filename: byWuWAR5FD.exe, Detection: malicious, Browse Filename: parcel_images.exe, Detection: malicious, Browse Filename: 0712020.exe, Detection: malicious, Browse Filename: JfRbEbUkpV39K4L.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: zC3edqmNNt.exe, Detection: malicious, Browse Filename: Shipping Document.pdf..exe, Detection: malicious, Browse Filename: PPR & CPR_HEA_DECEMBER 4 2020.exe, Detection: malicious, Browse Filename: AdministratorDownloadsBL,.rar.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\receipt.exe.log Download File
Process:	C:\Users\user\Desktop\receipt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp15FF.tmp Download File
Process:	C:\Users\user\Desktop\receipt.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.173941092991223
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGrtn:cbhK79lNQR/rydbz9I3YODOLNdq3S
MD5:	326073424F138CC1885296C478A8924E
SHA1:	CE52D5D40A74406D6FCAAB315E518DBBA52C70E7
SHA-256:	1DDD684BF5D1A1E85B77B51B630B021342754D36F3CD7AD13E46F1262BD62186
SHA-512:	E009D02B48E5EA00E137A84488CAFF4A05E6F6AEAD606EC5507387600845DD8EFB0FA52C4E3240FD1C7FFD21FB303F912FA57AA6747B3583E6D76AD08365CF02
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\CjkDta.exe Download File
Process:	C:\Users\user\Desktop\receipt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	577536
Entropy (8bit):	7.796026251145376
Encrypted:	false
SSDEEP:	12288:SncU0euEk1BdSfVfDpr26vgOIWO2UUA+4ZPZ4x07dtSvz:SGdkV2V0cSxOdtSL
MD5:	A4A4BC6E3283ECC66CD4A4DC864ACD9A
SHA1:	2114E1C9FBBC3FFA9921338E09DEFF202ABA01BF
SHA-256:	962DEBF4655A7917256AD3234217B1927A2C88AFD4631ED8258121C5B9E2DFEE
SHA-512:	B45EA70E2D6FAA54AE5FC6A26158B47A5B51C7064D85C9ED7C1F632924CC0D6A82D50D5A68D46CA7060427D59625EE4E447CC7892F8B924335CFEAC849A8A355
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M5`..............0......@.......@...`... ....@.. .......................`............@..................................i..W............................ .......................................................@...............`..H...........3(.G7gV..,... ......................@....text........`.......2.............. ..`.rsrc...............................@..@.reloc....... ......................@..B.............@...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	1488
Entropy (8bit):	6.997351629001838
Encrypted:	false
SSDEEP:	24:IQnybgCIC9oE/3blQnybgCIC9oE/3blQnybgCIC9oE/3blQnybgCIC9oE/3blQnT:IkXCNlkXCNlkXCNlkXCNlkXCNlkXCg
MD5:	C9F2440AA7796CD29110666CC178E7F4
SHA1:	BC55644B59BE9DA50D3BE05129C2FB38A703DF6A
SHA-256:	5CAF3D80729A320F4B71B72BAEFD1096C257821EA9996A9AE4F811206B3D8307
SHA-512:	FFDBE91785DB3E47F3F4361E8CE0CD920F5B913E1F2379000555575DF40EB6747C3B0A92B5235FC54BDB3DDC48C68921EEEAFBF46BB4882F71AA889634EDBDF1
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+...................S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.\|ZGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+...................S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.\|ZGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+...................S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.\|ZGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+...................S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.\|ZGj.h\.3.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:g4V:g4V
MD5:	0DA39798C7C07335778F7D2F0F1FC776
SHA1:	2979F0AA7FF28CFE7584A74C6317F94D07951BE6
SHA-256:	D636D85F4DA64AB2A21322F373E0ACA6777B89A31D778B303AD8C434E1E75FA9
SHA-512:	F148C85A2C0A80EC9E23E92CEDD5E6ED6E0CC2E7BE40CB46784B7E0348044E03149D44565184C2AB050D155A4DCEE6B9299A589666C8A1D21E4C20CE5479B39B
Malicious:	true
Preview:	......H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYk:RzWDI3
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.320159765557392
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
MD5:	BB0F9B9992809E733EFFF8B0E562CFD6
SHA1:	F0BAB3CF73A04F5A689E6AFC764FEE9276992742
SHA-256:	C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
SHA-512:	AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	433672
Entropy (8bit):	7.9996054300907025
Encrypted:	true
SSDEEP:	12288:FYbLHD8RJ3R1u49pIS86MXt8c2m6FeMlYr:Fczqr9enDXmcUBlg
MD5:	4D8AF7EC17CA5B66A617E00BB0C80481
SHA1:	EC2FE147F5370DADADFF076D4043390C7B2A45C7
SHA-256:	4251EF3033BB49F05311505FF955ED0989BA17C04F93B4DE47428A59FDFD33CB
SHA-512:	81EE1ABA97A13874A2EEC9C501633087E949C861F08E956225E44CBFF3FD61C2404DC36110D4BBBAF14D73EB3E568BE97F1947311D518290FF42C81641B332B1
Malicious:	false
Preview:	.........O.......\8..5N..`S.]..[r.$>.\.#v&..$.......Z.i..M.Mn5.@..@...3.R..Y...}>C.b....Z........K..^.d...Z...K.#...dn$e ..XP.^.#.......V...dB.Kn.Y.c..-k....M.D...Q.S..R.X.........._...Zz...#.=<.V.NHZq.h..ON..oq.:...,7H....../..Q..R.u6.."....<.`..z.5b($..9.CF.F1...o?.h.}....;Ay....kL}7...I.-.}..D&...C....%.J..+..1.5.a..Ih....s........G..?..9^0e...p..FCvNt.e...B/...y.h.G.0..o,Q.2[..........e.P8.....yr.....Q....../..S..m.......\.wA.a1.]...oW........PY..h....f:.....Ss.....\.8...@R._A...M..X....V.f).]z..u{.z-....W...NaT+.&:...1.D../.7..\.S..z..!.....#..F.d.......m'..........6.2....:H...bd].._......}.n.=...l.7%r.>...B.Q.K..q...Ex.6.6....P..^...i...Mx...;g...,t..fCd.\.b....e{.\...Y=4......+..T....j}..\|66g.s...z...Y.kTi..?Xy...5\...SO..W.U.3A.$.l..{.D...no.E..v.2.:..a..hdhO..t.w.k..T\|Po.....D?..mG.[.2.;....+...8.6.h!..w.3...w.o.....\|....f.v.to.B.{`o..a.....f.cu..........?......"...u..EA...^)W..z..jtU{^......5#....y.s.......e.l..&...%...

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.796026251145376
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	receipt.exe
File size:	577536
MD5:	a4a4bc6e3283ecc66cd4a4dc864acd9a
SHA1:	2114e1c9fbbc3ffa9921338e09deff202aba01bf
SHA256:	962debf4655a7917256ad3234217b1927a2c88afd4631ed8258121c5b9e2dfee
SHA512:	b45ea70e2d6faa54ae5fc6a26158b47a5b51c7064d85c9ed7c1f632924cc0d6a82d50d5a68d46ca7060427d59625ee4e447cc7892f8b924335cfeac849a8a355
SSDEEP:	12288:SncU0euEk1BdSfVfDpr26vgOIWO2UUA+4ZPZ4x07dtSvz:SGdkV2V0cSxOdtSL
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M5`..............0......@.......@...`... ....@.. .......................`............@................................

File Icon


Icon Hash:	c4c2c4dcf4c672bc

Static PE Info

General
Entrypoint:	0x49400a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60354D8E [Tue Feb 23 18:46:38 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00494000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16914	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x10ec8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x92000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x94000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x16000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
3(G7gV	0x2000	0x12ce4	0x12e00	False	1.00040097268	data	7.99735306844	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.text	0x16000	0x68900	0x68a00	False	0.94687359991	data	7.96127820812	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x10ec8	0x11000	False	0.131333295037	data	4.37885859623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x92000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x94000	0x10	0x200	False	0.044921875	data	0.142635768149	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x80130	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x90958	0x14	data
RT_VERSION	0x9096c	0x36c	data
RT_MANIFEST	0x90cd8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Neudesic 2017
Assembly Version	1.0.0.0
InternalName	CsY.exe
FileVersion	1.0.0.0
CompanyName	Neudesic
LegalTrademarks
Comments
ProductName	VectorBasedDrawing
ProductVersion	1.0.0.0
FileDescription	VectorBasedDrawing
OriginalFilename	CsY.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/24/21-10:52:47.506328	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49736	7890	192.168.2.4	45.15.143.249
02/24/21-10:52:53.781107	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	7890	192.168.2.4	45.15.143.249
02/24/21-10:53:00.216165	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	7890	192.168.2.4	45.15.143.249
02/24/21-10:53:07.041786	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	7890	192.168.2.4	45.15.143.249
02/24/21-10:53:13.112569	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49748	7890	192.168.2.4	45.15.143.249
02/24/21-10:53:19.175131	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49758	7890	192.168.2.4	45.15.143.249
02/24/21-10:53:25.317441	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49761	7890	192.168.2.4	45.15.143.249
02/24/21-10:53:31.414875	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49762	7890	192.168.2.4	45.15.143.249
02/24/21-10:53:37.354295	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49768	7890	192.168.2.4	45.15.143.249
02/24/21-10:53:43.292313	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49769	7890	192.168.2.4	45.15.143.249
02/24/21-10:53:49.283746	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49770	7890	192.168.2.4	45.15.143.249
02/24/21-10:53:55.488604	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49771	7890	192.168.2.4	45.15.143.249
02/24/21-10:54:01.591516	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49774	7890	192.168.2.4	45.15.143.249
02/24/21-10:54:07.590336	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49775	7890	192.168.2.4	45.15.143.249
02/24/21-10:54:13.590416	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49776	7890	192.168.2.4	45.15.143.249
02/24/21-10:54:19.562525	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49777	7890	192.168.2.4	45.15.143.249
02/24/21-10:54:25.518443	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49778	7890	192.168.2.4	45.15.143.249

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 10:52:47.067248106 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:47.190197945 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:47.190323114 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:47.506328106 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:47.647924900 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:47.648315907 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:47.829463005 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:47.829793930 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:47.952914000 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:47.964724064 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.137679100 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.137999058 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.313610077 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.313962936 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.349737883 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.349807978 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.349838972 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.349867105 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.353349924 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.353440046 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.476177931 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.476227045 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.476253033 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.476275921 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.477191925 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.477231979 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.477247953 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.477256060 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.477267027 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.477278948 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.478059053 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.478080034 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.599980116 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600017071 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600033045 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600052118 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600069046 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600090027 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600107908 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600158930 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600222111 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.600240946 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.600438118 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600464106 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600508928 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600533962 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.600608110 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.600617886 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.601325989 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.603724957 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.603760004 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.603771925 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.603789091 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.604517937 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.722706079 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.722738028 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.722755909 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.722771883 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.722789049 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.722809076 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.722816944 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.722840071 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.722891092 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.722954988 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.722985029 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723020077 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723037958 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723069906 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723104000 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723133087 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.723144054 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.723220110 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723268032 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723305941 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723330975 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.723335028 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.723346949 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723387957 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723402023 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.723454952 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723465919 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.723476887 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723505020 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723521948 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.723607063 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.723614931 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.724112034 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.727200985 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.727231979 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.727247953 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.727307081 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.727350950 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.727384090 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.727410078 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.727421999 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.727421999 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.727442026 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.727473021 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.727477074 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.727910042 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.845493078 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845520020 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845537901 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845554113 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845582962 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845619917 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845652103 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.845662117 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845664024 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.845704079 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845733881 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.845738888 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.845746994 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845777035 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845822096 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845849991 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.845853090 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.845863104 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845900059 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845932007 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.845935106 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.845943928 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845963001 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.845978975 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846010923 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846014023 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846016884 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846019030 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846056938 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846106052 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846139908 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846148014 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846158981 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846174002 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846198082 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846205950 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846221924 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846261978 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846288919 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846292019 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846303940 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846317053 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846345901 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846362114 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846380949 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846410990 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846415997 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846426010 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846443892 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846462011 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846487045 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846489906 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846489906 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846540928 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846554041 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846560001 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846560001 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846609116 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846630096 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846664906 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846681118 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846698046 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846724987 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846733093 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846735954 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846785069 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846832991 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.846911907 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.846924067 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.849581957 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.849606037 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.849657059 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.849735975 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.849737883 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.849756002 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.849792004 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.849853039 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.849886894 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.849900961 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.850049973 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.850054979 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.850104094 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.850275993 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968390942 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968419075 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968436003 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968451977 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968468904 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968483925 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968501091 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968508959 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968517065 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968523979 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968539000 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968555927 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968568087 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968571901 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968606949 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968624115 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968640089 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968650103 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968652964 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968666077 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968708992 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968736887 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968748093 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968750954 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968786001 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968827009 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968830109 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968836069 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.968947887 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968966007 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.968996048 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969002962 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969084024 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969099045 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969103098 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969120026 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969125032 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969136953 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969152927 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969166994 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969173908 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969192028 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969219923 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969247103 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969253063 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969269991 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969301939 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969316959 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969319105 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969322920 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969335079 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969402075 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969405890 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969407082 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969424009 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969441891 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969456911 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969472885 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969492912 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969496965 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969502926 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969542027 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969566107 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969572067 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969589949 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.969645977 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.969651937 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.972095013 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.972125053 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.972141027 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.972157955 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.972174883 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.972193003 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.972199917 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.972210884 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.972212076 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.972280025 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.972284079 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:48.972292900 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:48.972595930 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.091381073 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.091415882 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.091511965 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.091581106 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.091588020 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.091599941 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.091655016 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.091701984 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.091706038 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.091710091 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.091784954 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.091826916 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.091835022 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.091841936 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.091907978 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.091942072 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.091953993 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.091959953 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092025042 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092067957 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092072010 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092077017 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092149019 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092184067 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092196941 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092205048 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092266083 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092304945 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092314005 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092320919 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092422009 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092462063 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092470884 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092478037 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092519999 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092564106 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092570066 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092581034 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092672110 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092705011 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092724085 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092732906 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092775106 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092818975 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092823029 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092827082 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092911005 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092943907 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.092957973 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092967033 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.092983961 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093028069 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093033075 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093040943 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093106031 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093153000 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093161106 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093193054 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093223095 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093256950 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093261003 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093261957 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093319893 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093360901 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093367100 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093466997 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093547106 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093583107 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093600035 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093607903 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093622923 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093674898 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093705893 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093744993 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.093750000 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093759060 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093791008 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.093831062 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.094759941 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.094786882 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.094832897 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.094844103 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.094846964 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.094861984 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.094902039 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.094911098 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.094954967 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.095001936 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.095009089 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.095026970 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.095109940 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.095144033 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.095163107 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.095170021 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.097392082 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214098930 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214123964 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214147091 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214200020 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214210033 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214225054 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214251995 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214276075 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214301109 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214327097 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214335918 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214340925 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214353085 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214379072 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214413881 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214418888 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214430094 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214457035 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214479923 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214502096 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214509010 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214543104 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214554071 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214576960 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214580059 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214603901 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214627028 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214644909 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214651108 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214674950 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214731932 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214735985 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214770079 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214822054 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214859009 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.214869976 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.214911938 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215008020 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215029955 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215034008 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215059042 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215076923 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215101957 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215126038 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215128899 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215152025 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215171099 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215173960 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215197086 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215207100 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215212107 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215219975 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215245962 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215259075 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215270042 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215293884 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215313911 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215317011 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215317965 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215382099 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215385914 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215387106 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215426922 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215470076 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215513945 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215513945 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215538979 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215562105 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215570927 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215600014 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215605974 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215626955 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215650082 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215650082 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215691090 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215691090 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215732098 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215735912 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215756893 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215779066 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215795040 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215816975 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215817928 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215857029 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215862036 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.215904951 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215929031 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215953112 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215975046 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.215976000 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216022968 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216032982 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216074944 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216101885 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216114998 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216140032 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216212034 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216276884 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216281891 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216300011 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216324091 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216336966 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216352940 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216397047 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216420889 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216423035 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216447115 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216470003 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216470957 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216509104 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216519117 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216523886 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.216535091 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.216655016 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.256186008 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.394139051 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.394201040 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.511429071 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:49.580733061 CET	7890	49736	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:49.580821991 CET	49736	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:53.643460035 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:53.765847921 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:53.765988111 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:53.781106949 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:53.917393923 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:53.917519093 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:54.091347933 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:54.091449022 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:54.214325905 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:54.214472055 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:54.394846916 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:54.395016909 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:54.535707951 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:54.535912991 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:54.658144951 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:54.658297062 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:54.836549044 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:54.836643934 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:54.959294081 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:54.959403992 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:55.082371950 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:55.082568884 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:55.250359058 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:55.250438929 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:55.421876907 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:55.477343082 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:55.649584055 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:55.649672985 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:52:55.838263035 CET	7890	49743	45.15.143.249	192.168.2.4
Feb 24, 2021 10:52:56.010390043 CET	49743	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:00.086617947 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:00.208715916 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:00.208841085 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:00.216165066 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:00.356956005 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:00.358464956 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:00.540971041 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:00.541033983 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:00.663841009 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:00.673875093 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:00.803632975 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:00.804260969 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:00.926320076 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:00.926450968 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:01.092775106 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:01.092858076 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:01.215440989 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:01.215573072 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:01.338922977 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:01.339004040 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:01.523920059 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:01.524254084 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:01.702462912 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:01.702831030 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:01.886574030 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:01.922262907 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:02.103749990 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:02.188956022 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:02.375017881 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:02.466573000 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:02.650207043 CET	7890	49745	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:02.860902071 CET	49745	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:06.907553911 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:07.030100107 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:07.030200958 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:07.041785955 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:07.182738066 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:07.182907104 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:07.362862110 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:07.363025904 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:07.485991001 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:07.486083031 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:07.664268017 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:07.664408922 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:07.801485062 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:07.801582098 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:07.924053907 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:07.924138069 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:08.102288961 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:08.102410078 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:08.225518942 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:08.231199026 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:08.354664087 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:08.354928970 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:08.534185886 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:08.534766912 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:08.712340117 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:08.712416887 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:08.897634983 CET	7890	49746	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:08.897721052 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:08.946425915 CET	49746	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:12.988872051 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:13.111716032 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:13.111846924 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:13.112569094 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:13.254587889 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:13.254743099 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:13.429511070 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:13.429579973 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:13.552622080 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:13.590398073 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:13.765038967 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:13.765172005 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:13.901669979 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:13.901798964 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:14.024286032 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:14.025186062 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:14.194360018 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:14.195331097 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:14.318027020 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:14.318123102 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:14.440408945 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:14.441726923 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:14.629791021 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:14.629863024 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:14.815763950 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:14.815855980 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:14.986620903 CET	7890	49748	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:14.987006903 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:15.024252892 CET	49748	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:19.050951958 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:19.173600912 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:19.173695087 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:19.175131083 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:19.312866926 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:19.313702106 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:19.486383915 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:19.486562014 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:19.609575033 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:19.609716892 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:19.783229113 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:19.783303022 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:19.914110899 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:19.914295912 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:20.037260056 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:20.037391901 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:20.203067064 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:20.203205109 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:20.326025009 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:20.326807022 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:20.449444056 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:20.449553013 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:20.637687922 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:20.637854099 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:20.822803020 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:20.826276064 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:20.993275881 CET	7890	49758	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:20.994138002 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:21.009450912 CET	49758	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:25.099822998 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:25.221894026 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:25.222621918 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:25.317440987 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:25.456347942 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:25.456788063 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:25.634089947 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:25.634203911 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:25.756865025 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:25.757083893 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:25.933908939 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:25.933985949 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:26.070334911 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:26.070421934 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:26.192656040 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:26.192730904 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:26.384177923 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:26.384279013 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:26.506798029 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:26.506885052 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:26.628936052 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:26.631732941 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:26.808984995 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:26.812416077 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:26.980808020 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:26.980947971 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:27.152995110 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:27.154090881 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:27.275692940 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:27.320766926 CET	7890	49761	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:27.320878029 CET	49761	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:31.291811943 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:31.414252043 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:31.414395094 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:31.414875031 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:31.555099964 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:31.555371046 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:31.727884054 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:31.727967978 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:31.851285934 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:31.851407051 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:32.029038906 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:32.029172897 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:32.160089016 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:32.160239935 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:32.282493114 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:32.283307076 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:32.460115910 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:32.460208893 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:32.582969904 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:32.583062887 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:32.705542088 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:32.705774069 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:32.877036095 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:32.877142906 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:33.047069073 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:33.050693989 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:33.213434935 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:33.235270977 CET	7890	49762	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:33.239602089 CET	49762	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:37.229918957 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:37.352540970 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:37.353665113 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:37.354295015 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:37.490281105 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:37.492666960 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:37.679949045 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:37.681561947 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:37.805133104 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:37.805692911 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:37.979444027 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:37.979950905 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:38.130121946 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:38.130322933 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:38.253078938 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:38.253263950 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:38.431969881 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:38.432090044 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:38.555053949 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:38.555146933 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:38.678137064 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:38.678231001 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:38.873819113 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:38.873954058 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:39.042404890 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:39.042536974 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:39.151629925 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:39.224037886 CET	7890	49768	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:39.224536896 CET	49768	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:43.168684006 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:43.291300058 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:43.291464090 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:43.292313099 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:43.430829048 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:43.430983067 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:43.602308989 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:43.602509975 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:43.725394011 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:43.725893974 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:43.901520014 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:43.901705027 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:44.040417910 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:44.040721893 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:44.163220882 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:44.163485050 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:44.335983992 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:44.336239100 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:44.459055901 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:44.459218025 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:44.581734896 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:44.581897974 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:44.754808903 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:44.754895926 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:44.932774067 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:44.932858944 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:45.115067005 CET	7890	49769	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:45.115166903 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:45.144042015 CET	49769	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:49.158111095 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:49.282908916 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:49.283054113 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:49.283746004 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:49.421261072 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:49.421360016 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:49.601599932 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:49.601773977 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:49.724399090 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:49.724493980 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:49.894098043 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:49.894197941 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:50.026484966 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:50.026753902 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:50.148843050 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:50.149075031 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:50.322211027 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:50.322381973 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:50.444674969 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:50.444804907 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:50.567096949 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:50.567212105 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:50.748610973 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:50.748699903 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:50.932059050 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:50.932169914 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:51.118153095 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:51.118369102 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:51.299499035 CET	7890	49770	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:51.299578905 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:51.317383051 CET	49770	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:55.341522932 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:55.465017080 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:55.465123892 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:55.488604069 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:55.632550955 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:55.632683039 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:55.814941883 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:55.815032005 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:55.937843084 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:55.937927961 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:56.110662937 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:56.110730886 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:56.244266987 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:56.245364904 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:56.367629051 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:56.369801998 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:56.543488026 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:56.543600082 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:56.666435957 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:56.666518927 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:56.790144920 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:56.791313887 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:56.973614931 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:56.973757029 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:57.157985926 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:57.158088923 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:57.333543062 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:57.333610058 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:57.449657917 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:53:57.503638983 CET	7890	49771	45.15.143.249	192.168.2.4
Feb 24, 2021 10:53:57.507369041 CET	49771	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:01.466964960 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:01.589699030 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:01.590080023 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:01.591516018 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:01.726738930 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:01.726856947 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:01.892401934 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:01.892515898 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:02.015389919 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:02.015671968 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:02.193298101 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:02.193548918 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:02.323369026 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:02.323476076 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:02.445928097 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:02.446746111 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:02.627695084 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:02.627789974 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:02.750843048 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:02.763115883 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:02.885999918 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:02.886126995 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:03.059760094 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:03.059899092 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:03.237941980 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:03.238008022 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:03.421247005 CET	7890	49774	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:03.421418905 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:03.452346087 CET	49774	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:07.467005014 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:07.589595079 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:07.589781046 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:07.590336084 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:07.727368116 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:07.731698990 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:07.914053917 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:07.914213896 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:08.037157059 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:08.037410021 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:08.221570969 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:08.221752882 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:08.357007980 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:08.357188940 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:08.479700089 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:08.479945898 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:08.666405916 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:08.666656971 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:08.789848089 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:08.790155888 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:08.915323973 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:08.915448904 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:09.101020098 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:09.101121902 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:09.287501097 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:09.287661076 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:09.451210976 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:09.470256090 CET	7890	49775	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:09.470325947 CET	49775	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:13.467339039 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:13.589642048 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:13.589945078 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:13.590415955 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:13.726521015 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:13.726706028 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:13.904340982 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:13.904813051 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:14.027375937 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:14.031097889 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:14.222570896 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:14.222754002 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:14.366126060 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:14.367441893 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:14.489594936 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:14.489722013 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:14.672224998 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:14.672385931 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:14.795682907 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:14.795814991 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:14.918298960 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:14.920075893 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:15.103137016 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:15.103214025 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:15.271195889 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:15.271265984 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:15.420639992 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:15.455030918 CET	7890	49776	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:15.455082893 CET	49776	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:19.438267946 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:19.560971975 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:19.561084986 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:19.562525034 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:19.698565960 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:19.698771000 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:19.873109102 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:19.873560905 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:19.996391058 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:19.996782064 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:20.164201975 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:20.164386034 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:20.293772936 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:20.293874025 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:20.415951014 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:20.416208982 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:20.592272043 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:20.592461109 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:20.715138912 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:20.715315104 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:20.837663889 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:20.837790012 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:21.023063898 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:21.023216009 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:21.190725088 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:21.192718029 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:21.370064974 CET	7890	49777	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:21.371377945 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:21.374609947 CET	49777	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:25.390108109 CET	49778	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:25.512821913 CET	7890	49778	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:25.517915010 CET	49778	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:25.518443108 CET	49778	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:25.653984070 CET	7890	49778	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:25.656466961 CET	49778	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:25.779345036 CET	7890	49778	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:25.780428886 CET	49778	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:25.918591976 CET	7890	49778	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:25.919110060 CET	49778	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:26.041620016 CET	7890	49778	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:26.043226004 CET	49778	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:26.166064978 CET	7890	49778	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:26.166362047 CET	49778	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:26.288975954 CET	7890	49778	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:26.342468977 CET	49778	7890	192.168.2.4	45.15.143.249
Feb 24, 2021 10:54:26.464585066 CET	7890	49778	45.15.143.249	192.168.2.4
Feb 24, 2021 10:54:26.514343977 CET	49778	7890	192.168.2.4	45.15.143.249

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: receipt.exe PID: 7032 Parent PID: 5824

General

Start time:	10:52:20
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\receipt.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\receipt.exe'
Imagebase:	0x410000
File size:	577536 bytes
MD5 hash:	A4A4BC6E3283ECC66CD4A4DC864ACD9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.698303043.0000000003F26000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.695413546.0000000003A98000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5728 Parent PID: 7032

General

Start time:	10:52:41
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CjkDta' /XML 'C:\Users\user\AppData\Local\Temp\tmp15FF.tmp'
Imagebase:	0xba0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5720 Parent PID: 5728

General

Start time:	10:52:42
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6664 Parent PID: 7032

General

Start time:	10:52:42
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x300000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6632 Parent PID: 7032

General

Start time:	10:52:43
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xa70000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6296 Parent PID: 3424

General

Start time:	10:52:54
Start date:	24/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xbf0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5960 Parent PID: 6296

General

Start time:	10:52:55
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: receipt.exe PID: 7032 Parent PID: 5824 receipt.exeCOMMON

Executed Functions

Function 00B92477, Relevance: 4.8, Strings: 1, Instructions: 3571COMMON

Download Yara Rule

Strings

Ppq, xrefs: 00B92D24

Memory Dump Source

Source File: 00000000.00000002.693087997.0000000000B92000.00000040.00000001.sdmp, Offset: 00B92000, based on PE: false

Similarity

API ID:
String ID: Ppq
API String ID: 0-2613104638
Opcode ID: 88d627aa3fb1f412c23821387c7790d877b70eda821f7a0f0b6dd20038c19ab2
Instruction ID: dff5a62adf7425848351b9b1c132d57a5b790b156cd4491cdb1f87cfd2a4d800
Opcode Fuzzy Hash: 88d627aa3fb1f412c23821387c7790d877b70eda821f7a0f0b6dd20038c19ab2
Instruction Fuzzy Hash: 6DC267A6C1E3C16FCF174B3488691957FB1AE2331575E42EBC4C1DF5A3D21A884AC3A6

Uniqueness

Uniqueness Score: -1.00%

Function 04C612A3, Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

f]uq, xrefs: 04C6135C
f]uq, xrefs: 04C6131B

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID: f]uq$f]uq
API String ID: 0-1113553822
Opcode ID: 3a64350853293fb92673a8e8e519fb0b2eddb9d418b5224c6a93c8eb214e4658
Instruction ID: a57d0e5d8b003b253458908301ac60b57e5010afbe23fba330cf528af635b9cb
Opcode Fuzzy Hash: 3a64350853293fb92673a8e8e519fb0b2eddb9d418b5224c6a93c8eb214e4658
Instruction Fuzzy Hash: 4831D471E006188BEB18CFABD84479EFAF3AFC9300F18C0BAD508AA214DB701A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A55B, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00B9A5DB

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 90b3ca4642a87aabcf6789a99fbb2dd7d04093eb9d0be5006128187966c60156
Instruction ID: a5d79571013055795fa8c15fff1abc0dc1a58190fc62dec50fdbd69ddc3c9d9f
Opcode Fuzzy Hash: 90b3ca4642a87aabcf6789a99fbb2dd7d04093eb9d0be5006128187966c60156
Instruction Fuzzy Hash: CD21A1765097809FDB228F25DC44B52BFF4EF16310F0985EAE9858F163D274A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B9ABB3, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 00B9AC29

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 7f7f9dca9d919ad1a300d6709858d97152ae871642b4946cd4ec040710b13da0
Instruction ID: 7d874a7a353c8caaf8d83daa9736acf1baccf5863fa5b066ba111dfb538dfa91
Opcode Fuzzy Hash: 7f7f9dca9d919ad1a300d6709858d97152ae871642b4946cd4ec040710b13da0
Instruction Fuzzy Hash: 3221C07640D7C09FDB238B21DC41A52FFB4EF16314F0984DBE9848F163D265A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A592, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00B9A5DB

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 5d3d6133b3733ed4e148833ccf35d1c29b9e8e0f503f1ee86c49b2cc712e47f0
Instruction ID: 776c0b08da9e49b94370d0f050e7cba786c82bf952c73d37c8f00728cbf820f8
Opcode Fuzzy Hash: 5d3d6133b3733ed4e148833ccf35d1c29b9e8e0f503f1ee86c49b2cc712e47f0
Instruction Fuzzy Hash: D6114C756003009FDB208F55D884B66FBE4EF04320F18C4AADD458B656D675E818DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B9ABEE, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 00B9AC29

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 9b57bf61de7875231e68e4c0d85dd96fbe5d42610f289b16fbea48a25ec2da7b
Instruction ID: 6ad8c399dab110ff30c6f99f8ac42f831789e9f73188ea9f2cc5f1583c46fa19
Opcode Fuzzy Hash: 9b57bf61de7875231e68e4c0d85dd96fbe5d42610f289b16fbea48a25ec2da7b
Instruction Fuzzy Hash: B70178355046049FDB208F4ADC84B65FBE0EF18720F18C4AADD890A616D275A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04C63CA0, Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

{, xrefs: 04C63F36

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID: {
API String ID: 0-4159065886
Opcode ID: a212e48487dc87109cd6664d5baa0d65dedb2ce0e8bacbdcec0ffe66aea070ec
Instruction ID: fa8510cc5d43e9ac593cc64b97c88696829ce307746c0cb0f87af9b3aac043df
Opcode Fuzzy Hash: a212e48487dc87109cd6664d5baa0d65dedb2ce0e8bacbdcec0ffe66aea070ec
Instruction Fuzzy Hash: 2FC17070D1920ADFCB04CF95C6808AEFBB2FF49310B24D659D802BB264D731AA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C63C9B, Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

{, xrefs: 04C63F36

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID: {
API String ID: 0-4159065886
Opcode ID: ccbf8026708685e131d03479ff9225b965a3b9a3f1aed3cf726853e8f565002f
Instruction ID: 69b30fd14978ab3634fa793da0b4ad1b29c87114e7a14736fcec2e8d6a193046
Opcode Fuzzy Hash: ccbf8026708685e131d03479ff9225b965a3b9a3f1aed3cf726853e8f565002f
Instruction Fuzzy Hash: F2C1517491920ADFCB04CF95C6808AEFBB2FF49310B24D659D802BB264D731EA51DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04FC7790, Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

, xrefs: 04FC7AB7

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 77ebe2197400a873288b58493f5238d3f0ae3aa062a6f40983850238d8aa9a91
Instruction ID: 3723678662695387cf2888250dc1506593ef7d2278c5691a8b6dfa5c06184bea
Opcode Fuzzy Hash: 77ebe2197400a873288b58493f5238d3f0ae3aa062a6f40983850238d8aa9a91
Instruction Fuzzy Hash: EDA11275D0520ACFDB04DFA1C6846EEBBF1BF49310F20946AD411BB254D7786A42CF68

Uniqueness

Uniqueness Score: -1.00%

Function 04C69BA8, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b7fb59d9bb47ed78952fc0944d57ddcc2f01d0d2e9f21deb19a673cba7f7b3
Instruction ID: 99c22f4e52d86010760174c601dc3aca79b4ed7e49067264be2f7dc3000a9b95
Opcode Fuzzy Hash: c6b7fb59d9bb47ed78952fc0944d57ddcc2f01d0d2e9f21deb19a673cba7f7b3
Instruction Fuzzy Hash: 1391F6B4E05218DFCF14DFA9D580AADBBF6BF89340F20882AD406AB254DB356941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 04C61D8B, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed5e33459b5d45d16b9539442056670333e4838fbaccf3f414c99255d98ac2f
Instruction ID: d5889bb0dd83b65085898207bc0c6c26de0d10ba0070360753dc26cd4f86dbd6
Opcode Fuzzy Hash: 4ed5e33459b5d45d16b9539442056670333e4838fbaccf3f414c99255d98ac2f
Instruction Fuzzy Hash: 4471E274E00219DFDB08CFA6D5856AEFBF2BF89311F24806AD416AB254DB349A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04C61D98, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb24999b0858fc84ec0bb60b8f4f89813db1781af855b546288877b9ecac3db5
Instruction ID: d3430fbaecae79d3a09e59553021ff840fcab18bddb1dec4de8f67e688fabb8a
Opcode Fuzzy Hash: fb24999b0858fc84ec0bb60b8f4f89813db1781af855b546288877b9ecac3db5
Instruction Fuzzy Hash: BA71F270E00219DFCB08CFA6C5856ADFBF2FF88311F24806AD416AB354DB34AA418F51

Uniqueness

Uniqueness Score: -1.00%

Function 04C6854B, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b3b030a297ceed62515fc72ffc6b78866eff3a0dbab8b59443d625f6f2581e
Instruction ID: faef3ab997ae71361d2fe35cf5ff75eb93720a36df2f4949f07cd32ab464420a
Opcode Fuzzy Hash: 26b3b030a297ceed62515fc72ffc6b78866eff3a0dbab8b59443d625f6f2581e
Instruction Fuzzy Hash: 72712574E06209DFCB04DFA5C5946ADBBB2FF89300F20886AD406BB354DB74AA41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04FCBA08, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ad2388520568484451fea2e176f6cc89d8b6c0447e7f673ff54dbb84f98f3e
Instruction ID: 664ba66701c4a7162bfec0bf32b89aec03c63cf9d60ed6f3f27758139126a176
Opcode Fuzzy Hash: 60ad2388520568484451fea2e176f6cc89d8b6c0447e7f673ff54dbb84f98f3e
Instruction Fuzzy Hash: AB6182B4E04219DFDB54DFA9D9856ADBBF2FF89300F20912AD819A7354EB346942CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04C624A8, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a57664e3034e2c56de91b6af51325d37dcf0a8e3670e2ac241de78619bda7b
Instruction ID: 3de74819655046c9e955f8205963ad7bc14736087f75765af9ceca7ab3038354
Opcode Fuzzy Hash: 07a57664e3034e2c56de91b6af51325d37dcf0a8e3670e2ac241de78619bda7b
Instruction Fuzzy Hash: 85511A70E052098FCB08DFA6C4945AEFBF3EB89304F24D46AD416B7255E7349A41DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04C6A050, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621e0023c36172d5f69ca8fb20d44454c691fbacfa7f74cb658345ce97cbeb53
Instruction ID: abe57d96635fd48b2348a651286477b05b340155fdeedaf9e9efd9009368eda0
Opcode Fuzzy Hash: 621e0023c36172d5f69ca8fb20d44454c691fbacfa7f74cb658345ce97cbeb53
Instruction Fuzzy Hash: 3F511A30E05209EFCB04CFA5C5819EDF7B2FF8A300F2495AAD416BB264DB35AA40DB44

Uniqueness

Uniqueness Score: -1.00%

Function 04C6944B, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b906809966aa2bc153c8d1bbe693273211ca97c9a257c5ec575b1ba27be7ac
Instruction ID: 667d1b55bfdf94638b76f2bdab7951cd33d65b34e6b04e1fbb680fda6497860a
Opcode Fuzzy Hash: c2b906809966aa2bc153c8d1bbe693273211ca97c9a257c5ec575b1ba27be7ac
Instruction Fuzzy Hash: 1451E4B1E0124CCFDB54CFA9C99069DBBF2FF89300F24852AD416AB255EB30A942CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04C62DF3, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d7b24390ffb358c9441ff37b9d82543b15a728b171f7c743845ef8b3ec3176
Instruction ID: 6e5a4fdbefeeb04dd2da57c1bbce34e719dcf25161d3d3a24ac01cfdfa3181eb
Opcode Fuzzy Hash: f8d7b24390ffb358c9441ff37b9d82543b15a728b171f7c743845ef8b3ec3176
Instruction Fuzzy Hash: 3D31E4B1E016188BDB18CFAAD84479EFBB3AFC9300F14C06AD409AA264DB745A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 086D5960, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.703652718.00000000086D0000.00000040.00000001.sdmp, Offset: 086D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a444b63256f047e8a58a767eebbf8d012b969c4e0044bedd377f19745c7d6c0d
Instruction ID: caa236d69aefc936ed6357ccd984531e0110700329a6a424e368cc1a47c6b032
Opcode Fuzzy Hash: a444b63256f047e8a58a767eebbf8d012b969c4e0044bedd377f19745c7d6c0d
Instruction Fuzzy Hash: 362198B1D016188BDB18CFABD94529EBAF7AFC8300F14D47AC409AB628EB7406468F50

Uniqueness

Uniqueness Score: -1.00%

Function 086D5970, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.703652718.00000000086D0000.00000040.00000001.sdmp, Offset: 086D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa83102fceb6c7df917b389327d03128dce0741e65d774f3108a51b8d34c792
Instruction ID: e9cda5629130c6f6d08e8a4a2e9271166c7f713b9588575e4f71a0d2db61c055
Opcode Fuzzy Hash: 2aa83102fceb6c7df917b389327d03128dce0741e65d774f3108a51b8d34c792
Instruction Fuzzy Hash: 972188B1D016189BDB58DFABD94529EFAF7AFC8300F14D47AC809A7218EB7406468F50

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1644, Relevance: 1.6, APIs: 1, Instructions: 117synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04CE15ED

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 64380e556ce7f0051d45b336fe4fb8465df165709d6660406fecd99cc92e8a4f
Instruction ID: 7b5782ecf48a1b950ddf085db6d9e75483bb9a00946e2a3dba9b1759310e6bab
Opcode Fuzzy Hash: 64380e556ce7f0051d45b336fe4fb8465df165709d6660406fecd99cc92e8a4f
Instruction Fuzzy Hash: E241C2754093809FD312CB65DC45B65BFB4EF47320F0981DBD8848F293D235A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE22A7, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04CE2357

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2d53a7241bddb740001c790630ae8bbc777a19e61d464ba4b0156fd9acce9613
Instruction ID: 77caea82cb94b07961fa2254bab1814453f3f7861eae85fc3ddd202de6204789
Opcode Fuzzy Hash: 2d53a7241bddb740001c790630ae8bbc777a19e61d464ba4b0156fd9acce9613
Instruction Fuzzy Hash: FC3194B15043846FE7228F65DC45FAABFACEF06320F0485AFE985DB152D224E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00B9AE5A, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 00B9AF02

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 27d490b377319fed870a948bf066377ab278c7eb2c46c30fb7d7d911a5d99474
Instruction ID: f6003ac49eada6de1b78f4f068c47f9bb69d2a6f981e0b9d6504f651580cd7b7
Opcode Fuzzy Hash: 27d490b377319fed870a948bf066377ab278c7eb2c46c30fb7d7d911a5d99474
Instruction Fuzzy Hash: 1A317F7144E3C15FD3238B258C61A65BFB4EF47620F0A41DBE884CF5A3D228A819C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1B96, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 04CE1C40

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 7b7b020a4e29f9edfd6e03fa2b9c6b8f96d56c32416cb06eab8ba79781e75a5d
Instruction ID: 8ef1bf0a06481f3873722496272dc87957c90b63c866f8d2f193daf6fe8c14e1
Opcode Fuzzy Hash: 7b7b020a4e29f9edfd6e03fa2b9c6b8f96d56c32416cb06eab8ba79781e75a5d
Instruction Fuzzy Hash: 633195B1505784AFEB228F65DC45FA6BFB8EF06310F08849BE9859B153D634A508C761

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1546, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04CE15ED

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9a73082acf8df739b3aac72a45ae6564701eed19f2100f47273013c2eea9b483
Instruction ID: f78add9151d254a4bcf3c78b35334735db345b79a882d1f6d961729e1991e138
Opcode Fuzzy Hash: 9a73082acf8df739b3aac72a45ae6564701eed19f2100f47273013c2eea9b483
Instruction Fuzzy Hash: 4E31A1B1509780AFE722CF25DC44B56BFE8EF06310F08849AE9848B292D335E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B9B785, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 00B9B840

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6ae2e12a651b7afea10c2a9c2a091c4d966d626a2cd8f49bf08e296c30878619
Instruction ID: af3dc5bb6f97b398799aefa88e9d530e12c34e4bd3b895431ceb1deb16875a14
Opcode Fuzzy Hash: 6ae2e12a651b7afea10c2a9c2a091c4d966d626a2cd8f49bf08e296c30878619
Instruction Fuzzy Hash: 1F3172715053845FEB22CF25DC84F66BFECEF06710F1884AAE9858B153D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1726, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04CE17C5

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 31717a3154994a9640359c894d3efa015160705111bfcca50c204e0d54943fae
Instruction ID: 50e7f2f31fc5724fe844022a7053a38c408972b7299c6ea505b625af36570b58
Opcode Fuzzy Hash: 31717a3154994a9640359c894d3efa015160705111bfcca50c204e0d54943fae
Instruction Fuzzy Hash: 6A315CB1504740AFE722CF65CC44F66BBE8EF05620F0885AAE9858B252D375E905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1EC7, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 04CE1F63

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 1990d210207ce271f1e7c137eb9839ea160624697687505f3c150fa8374903d5
Instruction ID: 45692ee46a64cfdea4ccb8ebf68272b6deb163edd8fee3b7c43f2e051a6296a8
Opcode Fuzzy Hash: 1990d210207ce271f1e7c137eb9839ea160624697687505f3c150fa8374903d5
Instruction Fuzzy Hash: BA219172504344AFEB21CF65DC44F66BFA8EF05310F08889AED849B152D334E919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B9B69E, Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00B9B73D

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: add5766e2f007d5f06fd35f21732e95512b05c04e70176c53d10b2a0f3ccefbe
Instruction ID: e707d0c755cde6f89299c5370c332074494f6ccfa0b8bf6bbaba8015d88074e6
Opcode Fuzzy Hash: add5766e2f007d5f06fd35f21732e95512b05c04e70176c53d10b2a0f3ccefbe
Instruction Fuzzy Hash: 4521A0B2504344AFE7228F65DC85F6BFFECEF45320F08859AE9819B152D224E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2678, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 04CE2708

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a73251e13de420c053147580b589a913fae091f51873af3d0e8784bbeed037b0
Instruction ID: e04b00c0a61c42048b73c383b96b106d91d6b7c8c798a52fbfdc2b8f37b89a32
Opcode Fuzzy Hash: a73251e13de420c053147580b589a913fae091f51873af3d0e8784bbeed037b0
Instruction Fuzzy Hash: B321B5B55093806FE712CF25DC45FA6BFA8EF06320F0884EBE984CF193D264A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 04CE22DA, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04CE2357

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f3e85e6ab9f686b6ae0e53fbb406f7cafa56e9fb44c5df16595954e460f6852
Instruction ID: 9a6e13af854bebc3768fc7f7ddaf0f0144a2efcff8c9f3083524e7f850ffe514
Opcode Fuzzy Hash: 7f3e85e6ab9f686b6ae0e53fbb406f7cafa56e9fb44c5df16595954e460f6852
Instruction Fuzzy Hash: 66219272500304AFEB21DF66DC44F6AFBADEF04320F04886AED859A551D734E5158B71

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A7D8, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 00B9A85C

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 608cf335ac19f8aafe6e9982e4eb0b338dc9bb17facbacf6cf32b86a02bc4d9c
Instruction ID: 6555599f2a483e8cf34e8d017b4cf7b05045f4ca6d087bb498f79b2a8c286944
Opcode Fuzzy Hash: 608cf335ac19f8aafe6e9982e4eb0b338dc9bb17facbacf6cf32b86a02bc4d9c
Instruction Fuzzy Hash: 7B21B6715093846FEB128F25DC45F66BFB8DF46320F1884EBE984DF193D2649944C761

Uniqueness

Uniqueness Score: -1.00%

Function 04CE23B5, Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 04CE243C

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a423749467e50acf3fee5971bcf7db8b8685a704809c2cca95844fddcdbdc604
Instruction ID: c598d9a81953c2d3ed1ef0c33587929263ced74145f673241c969e110ec81180
Opcode Fuzzy Hash: a423749467e50acf3fee5971bcf7db8b8685a704809c2cca95844fddcdbdc604
Instruction Fuzzy Hash: 062171765093C09FD713CF25DC54B62BFA89F07614F0984DADC858F263D225A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE181C, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 04CE18B1

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: da3752e0f44677a579e26c02972f197104d8f9e50b5f199c7d7a6c567e01cd2f
Instruction ID: 01904fb8983cfd932368bd6d16dd1b6e7f6b2ff1f44ff1548de0f74397ac1376
Opcode Fuzzy Hash: da3752e0f44677a579e26c02972f197104d8f9e50b5f199c7d7a6c567e01cd2f
Instruction Fuzzy Hash: 612128B65087806FE723CF26DC44BA6BFA8EF46720F0980DAE8848B153D324A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1746, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04CE17C5

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 14ea926b3bc731d38c4ca63d2957d46526ba532ee5148dc07a75240e91d439a0
Instruction ID: b8ae6b49b26374922731d0a42ebe085d757ea7ee5bc39277bd2c4d07b168aa6e
Opcode Fuzzy Hash: 14ea926b3bc731d38c4ca63d2957d46526ba532ee5148dc07a75240e91d439a0
Instruction Fuzzy Hash: 4B219AB1600300AFE721CF6ACC44B66FBE9EF08720F08856AE9858B642E731F514CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00B9B6BE, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00B9B73D

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1d0aa1a0b58b6896a8a7dff524db5b1b46654e8f448133ccac19077ed222a5f1
Instruction ID: 4ca697425a69b2cd75cd9a378e0e69b5042ea5dcc278385ce1933d24eccce1a7
Opcode Fuzzy Hash: 1d0aa1a0b58b6896a8a7dff524db5b1b46654e8f448133ccac19077ed222a5f1
Instruction Fuzzy Hash: 9921CF72500304AFEB218F69DD85F6AFBECEF48320F14856AE9419A641D724E9088A71

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0961, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?), ref: 04CE09E3

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b32c80d6a5a720e2679bc26c378c118b955360b1184b46fa4fb6e9c13dd60bc1
Instruction ID: accf33991b066c094b37e7c1906d10c6c52806c6e611dfbc664199edf2459790
Opcode Fuzzy Hash: b32c80d6a5a720e2679bc26c378c118b955360b1184b46fa4fb6e9c13dd60bc1
Instruction Fuzzy Hash: CF2192715093849FE722CF26DC44B62BFF4EF06320F09859AE9858B563D374E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1EF2, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 04CE1F63

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: d9d61c4f5d4b0271a0142951a313075e146247f11ad85445f008301d3ea3a881
Instruction ID: b021bfbb0f0b5bdb8b7ba801cc87fbaa5091e66e6acab8bd95abc1d272b70129
Opcode Fuzzy Hash: d9d61c4f5d4b0271a0142951a313075e146247f11ad85445f008301d3ea3a881
Instruction Fuzzy Hash: D521C371600304AFEB20DF6ADC44F6AFBA8EF04320F18846AED449B241E734E5198BB1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE157A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04CE15ED

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 961adc1b52afb0b0ed017856de1f2257afcbf8d5f294566005065634355635ff
Instruction ID: bb699566059556e29362e91230d489d1293376f07ddd41bd13b9cdfc0cba0bc8
Opcode Fuzzy Hash: 961adc1b52afb0b0ed017856de1f2257afcbf8d5f294566005065634355635ff
Instruction Fuzzy Hash: 1A2180B16002409FE720DF6ADC45B66FBE8EF04320F18846AED458B241E775E904CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00B9AAEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,EDF804E7,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00B9AB6A

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 36627301115104c34383537901b6d834c7578ff44e2c499fdc74f5528bbe4c13
Instruction ID: 8dc895d24e457caaba55e4420a0aa0798f1ac1f28cfcd24362581854177fac9c
Opcode Fuzzy Hash: 36627301115104c34383537901b6d834c7578ff44e2c499fdc74f5528bbe4c13
Instruction Fuzzy Hash: CD2160755093805FEB12CB25DC54BA2BFE8EF47314F0984EBE9848F153D2659908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE19CE, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 04CE1A4D

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e0cdf719e6ad0288ea982e049f6cd2be01785a1474a335a4897117dec430c7bb
Instruction ID: 00611e94f7c5b026ac54826192a4d8be9586443443efc6b0d8cc6cf277960210
Opcode Fuzzy Hash: e0cdf719e6ad0288ea982e049f6cd2be01785a1474a335a4897117dec430c7bb
Instruction Fuzzy Hash: CF219272405380AFDB22CF55DC44F66BFB8EF45320F0885AAE9859B152C234A508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04CE1BD6, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 04CE1C40

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 6a0ad5913e00310e37a325b68832e3b2cd4985d7cde91f23c96642bfd5a63a2d
Instruction ID: afc50c9f0e9ceb3dea93e32dee0764efc69c0b845f164dbdbd00efa0a34e0bbb
Opcode Fuzzy Hash: 6a0ad5913e00310e37a325b68832e3b2cd4985d7cde91f23c96642bfd5a63a2d
Instruction Fuzzy Hash: F31190B1600304AFEB21CF66DC84FAABBACEF04320F08846AE945DB145D674E514CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A1F4, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00B9A26C

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6833966ebe9dc8ddb43e234c38f8c69316f6ee7afe458c16569a6d76f1eca12c
Instruction ID: 266e3b5ed31fd1dc8abcbe104084a702ef07fc4abcfc3e4189ea31d9d06e7db1
Opcode Fuzzy Hash: 6833966ebe9dc8ddb43e234c38f8c69316f6ee7afe458c16569a6d76f1eca12c
Instruction Fuzzy Hash: F0216A7550D3C09FD7138B65DC54696BFB4EF47220F0A84EBD884CF5A3D228A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B9B7C6, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 00B9B840

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7e681f0ef581bd78b44a13dff70e68c1cfb31ab5292aa561dd509625b65ac9ae
Instruction ID: 96d3167d856b0f22a61a0efc518d23a6812b7499cb96e6cf6acd71227289086d
Opcode Fuzzy Hash: 7e681f0ef581bd78b44a13dff70e68c1cfb31ab5292aa561dd509625b65ac9ae
Instruction Fuzzy Hash: E7218EB1600304AFEB21CF15DD84F66BBECEF08720F1484AAE945CB256D764E804CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A8C0, Relevance: 1.6, APIs: 1, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00B9A93D

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f435e921fb0d2941fefc1c322f8787a9f2896f03c40248fa46f76ef8fa8837f7
Instruction ID: 1735dc1840f53aa35a6677e23f2d5cb8e72bf49d556491a43cb56c0f93e00b75
Opcode Fuzzy Hash: f435e921fb0d2941fefc1c322f8787a9f2896f03c40248fa46f76ef8fa8837f7
Instruction Fuzzy Hash: F6219D764097C09FDB238B25DC50A62BFB4EF07224F0984DFE9858B163D224A808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A628, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00B9A694

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b3bd2cf97ebc40d066dc3b7431f076315316d4835d988f9ab8e8139eeb1f573e
Instruction ID: ad204b4273caff20d864016c7357d1d4519377ae3da96acd9959f1f14cbfdec5
Opcode Fuzzy Hash: b3bd2cf97ebc40d066dc3b7431f076315316d4835d988f9ab8e8139eeb1f573e
Instruction Fuzzy Hash: DF216F765093C05FDB128B25DC54692BFA4AF17224F0D84EAEDC58F663D2649908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A34F, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00B9A3BE

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b6669cf3e4f355c3f3ae18fad7297c6e0b207d86f516a8393751ffe32f60c8c2
Instruction ID: 18cfd0eb99c6463c009534864c12a933a4a9f44e4b06a4bee0a2d6b6b8ff2541
Opcode Fuzzy Hash: b6669cf3e4f355c3f3ae18fad7297c6e0b207d86f516a8393751ffe32f60c8c2
Instruction Fuzzy Hash: 4C2187715093809FDB21CF29DC44B56BFE8EF56220F0884EAED85CB252D274E804C762

Uniqueness

Uniqueness Score: -1.00%

Function 04CE01F9, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04CE0275

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: f6b819a0b2dea5191c0fb088df67ded6f969419df49bdfdef029921b32c8de15
Instruction ID: f9ab2aecf986a47145d89abffba624394619dfdfca9220913cc6994ad7cfa5f6
Opcode Fuzzy Hash: f6b819a0b2dea5191c0fb088df67ded6f969419df49bdfdef029921b32c8de15
Instruction Fuzzy Hash: EF2190755093809FD7228E16DC45B62BFF8EF46714F09848AED84CB253D375E909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2761, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04CE27D4

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4f4d181331c2328b22faac29bd8fa42a89706118d2c57bc83095354f85a3bf91
Instruction ID: 6a145a1d9c5ae521dd99dd902611df9d2dc9180dedc0f4721d853d147d0d68a6
Opcode Fuzzy Hash: 4f4d181331c2328b22faac29bd8fa42a89706118d2c57bc83095354f85a3bf91
Instruction Fuzzy Hash: BF21A1761097809FD7228F15DC44A62FFB8EF06210F0884DAED858B263D375E558DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE28B5, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04CE2929

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 00df5ad3be312f4e116d35dda97fb1cd734eb60e532d9924692c978516934a56
Instruction ID: ac767483ec4c9773ed2449a0bda6fb81296daa6241052a342a0b4d50e37ff125
Opcode Fuzzy Hash: 00df5ad3be312f4e116d35dda97fb1cd734eb60e532d9924692c978516934a56
Instruction Fuzzy Hash: 2E218C724093C09FDB238F25DC44A62BFB4EF07220F0985DAE9C48F163D225A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B9B060, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B9B0D2

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0d3c7d100d6fc03c5afdea100227ee65190a71ba31a688dd62435bd27e055a78
Instruction ID: e4ce987565208aa8809df0e0025ca9f87697954955cd993bb703da78f179084f
Opcode Fuzzy Hash: 0d3c7d100d6fc03c5afdea100227ee65190a71ba31a688dd62435bd27e055a78
Instruction Fuzzy Hash: 022181314093809FDB228F65DD45A52FFF4EF0A320F0989DEE9858F162C375A859CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04CE26B2, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 04CE2708

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 99add99bfb80cd5e0dd4669e96f73a8af969edfd34033ce664422228f532b46b
Instruction ID: 4e91c359df1f33b04ea638905bd1f87d5220b1b049aa87377a52dcb4ae4bf789
Opcode Fuzzy Hash: 99add99bfb80cd5e0dd4669e96f73a8af969edfd34033ce664422228f532b46b
Instruction Fuzzy Hash: E21191B1600304AFEB21CF6ADC85B6AFB9CDF04320F1884AAED45DB246E674E5048A71

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A806, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 00B9A85C

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: df571d177cc2d887646ca07b7b49123328ba3acc2f316a7d1954200ad6a7e3fa
Instruction ID: 8aa83e586cdf964ceb2ece65063be5cf38f434fbe324ce8a9714f44b5cde7538
Opcode Fuzzy Hash: df571d177cc2d887646ca07b7b49123328ba3acc2f316a7d1954200ad6a7e3fa
Instruction Fuzzy Hash: 8D1194B1500304AFEB21CF59DC85B6ABB98DF44320F1484BAED459B246D674E805CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE19EE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 04CE1A4D

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8ef31c17e1c92a9c78081b2df9c4982dd6c007edefb1ad909354080d1417a75c
Instruction ID: b126ac2f94cc074256c3c8daee9354398fe3bb753627191cda2dcd46315a9445
Opcode Fuzzy Hash: 8ef31c17e1c92a9c78081b2df9c4982dd6c007edefb1ad909354080d1417a75c
Instruction Fuzzy Hash: C111B271500300AFEB21CF96DC44B7AFBA8EF04320F18856AED459B146D774A514CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE25D7, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04CE263C

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8890f01d30a75bf685a67a9972ee3ad5bc3f8ea3a64eaba606fa554cc2471308
Instruction ID: dd268ecbf5cb876c44b1ca4fd69641836a7ab902142793f739b0f3db3db204cd
Opcode Fuzzy Hash: 8890f01d30a75bf685a67a9972ee3ad5bc3f8ea3a64eaba606fa554cc2471308
Instruction Fuzzy Hash: B911E2760097809FDB228F25DC40B62FFB4EF06220F0885DEED858B563C375A558DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2B03, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04CE2B6D

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 94ea91becd79d0d6fa6eee55b831a9deffa00538d7f76a5c9bec7822ca36ede9
Instruction ID: 5e142c1d4abb91811610784698434cd95dd546b902ecde63c37d2bdd89313d97
Opcode Fuzzy Hash: 94ea91becd79d0d6fa6eee55b831a9deffa00538d7f76a5c9bec7822ca36ede9
Instruction Fuzzy Hash: 8411D0724093809FDB22CF15DC85B62FFB4EF06224F0884DEED858B163C275A518CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2530, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 04CE258F

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: a47a890baf86a81c83220cd85ae88bc1b2b41038fe4856526143f6aa826691e8
Instruction ID: 2d26d28dc8569b5a72a7bf448877e2af3f8b7f297c2d87ac6ab46325dd199255
Opcode Fuzzy Hash: a47a890baf86a81c83220cd85ae88bc1b2b41038fe4856526143f6aa826691e8
Instruction Fuzzy Hash: 4E118F755053849FD721CF15DD85B66FFE8EF06220F0980EAED468B262D374E948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B9AD2C, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00B9AD8C

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 9f3396bf1e77935ca6bfe73a13d8950413a1c9fdd6ec983785b431155892d8eb
Instruction ID: 8ad5bd9e0e2c6bd467cacbf146071b704bbed30b40de11940b9b7e7f4c56115c
Opcode Fuzzy Hash: 9f3396bf1e77935ca6bfe73a13d8950413a1c9fdd6ec983785b431155892d8eb
Instruction Fuzzy Hash: 55118275504380AFDB12CF15DC44B62BFA8EF46325F0880EAED458B653D274A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A376, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00B9A3BE

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7b0fd319ad33b38afc31c4a40853d4da2ff9f94c50a4c19a4e4a1040e9008731
Instruction ID: 538357cc1256e48b9fb78aa00ca795f0a803cd67ec870e41a5e6dd825ebedb01
Opcode Fuzzy Hash: 7b0fd319ad33b38afc31c4a40853d4da2ff9f94c50a4c19a4e4a1040e9008731
Instruction Fuzzy Hash: 741152716043408FEB60CF6AD985766FBD8EF14320F1884BADD45CB646D674E804CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0992, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?), ref: 04CE09E3

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 53794b9190024b34d7c553b43562b830ed81caaf1bfa97f2f099d116f4f20b8b
Instruction ID: b7e94a3d2b6cf2b4d9b1006b500fbc6a31075fe6994f85747ce48a4bbf600e02
Opcode Fuzzy Hash: 53794b9190024b34d7c553b43562b830ed81caaf1bfa97f2f099d116f4f20b8b
Instruction Fuzzy Hash: 36115E716003449FEB20CF67D884B66FBE4EF04320F08846ADE459B652E3B5E504DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CE185E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,EDF804E7,00000000,00000000,00000000,00000000), ref: 04CE18B1

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a50afa163df88606a177895cabe9df36afa452d4f0a7eef00ffa48726f77f0de
Instruction ID: e9b07f7d924bfa5c17f4e7e349cf508f194d778c6f0e14ee1d8090657372c9c6
Opcode Fuzzy Hash: a50afa163df88606a177895cabe9df36afa452d4f0a7eef00ffa48726f77f0de
Instruction Fuzzy Hash: BF01C475600304AFE721CF16DC45B76FB98DF04720F588456ED459B246D774E505CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B9B95C, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B9B9BC

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 22a739b0e35da20aa6c48a7b295131e39ebb15fbd2be7d85f393ec0d95d3301f
Instruction ID: ad5b28bcc22b36f4f3ca662bca5bcd4478bc42958e20920fa0efa8307a189903
Opcode Fuzzy Hash: 22a739b0e35da20aa6c48a7b295131e39ebb15fbd2be7d85f393ec0d95d3301f
Instruction Fuzzy Hash: 35118F32409780AFDB218F55DD45E56FFF4EF05320F08859EED854B662C375A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B9AB2A, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,EDF804E7,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 00B9AB6A

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: adea5dff475ab78b5e34ef8580566779a1d1270afa81f592d2a25359789faeb9
Instruction ID: 67c29c5e48b9abca2a58826aac9d82d6526774913fde2b7afac0271d4ef1ac78
Opcode Fuzzy Hash: adea5dff475ab78b5e34ef8580566779a1d1270afa81f592d2a25359789faeb9
Instruction Fuzzy Hash: 8C1161756003008FDB20CF69D884766FBE4EF04320F18C4BADD498B656D674E804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE278E, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04CE27D4

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a07f6c8624e116de3700ec38f778a70a152ceb41c7c1c7357085d8aced82dcae
Instruction ID: aafdc4a9499c743d50385f2311eef58da4346c8961933750d7b89e845145c117
Opcode Fuzzy Hash: a07f6c8624e116de3700ec38f778a70a152ceb41c7c1c7357085d8aced82dcae
Instruction Fuzzy Hash: 1D018E356006009FDB208F56D884B66FBA8EF04720F08849ADD458B652E375E518DA72

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2402, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 04CE243C

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2e554ce1fe89c17a8483accb7397e2ad1f8f5beeedc8cd7e8880bb482274a8c0
Instruction ID: 2b6fcebc81aafed4bafff3923280110e92ea295b4250e0fd27a20e96547cf097
Opcode Fuzzy Hash: 2e554ce1fe89c17a8483accb7397e2ad1f8f5beeedc8cd7e8880bb482274a8c0
Instruction Fuzzy Hash: 160171716003409FDB60CF6BD885766FB98EF04220F08C4AADD89CF656E778E544CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B9AF28, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00B9AF7C

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 465edde1557ab71d374e57bcd702628a72a50359a515ec92b4f8878cb08e362c
Instruction ID: a7810859554a146ff76cc9b3a9453268602468c1449819ce6174e0ccb9814f8d
Opcode Fuzzy Hash: 465edde1557ab71d374e57bcd702628a72a50359a515ec92b4f8878cb08e362c
Instruction Fuzzy Hash: 12016175409384AFD7228B15DC84B62FFA4DF46624F08C4DAED848B252D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE022A, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04CE0275

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: c2ce4a0dc601ad1d7d6c0b5360f450bd24f148ca6d96cacb68083509f885a99d
Instruction ID: 3b4d409c63bfe18aeb9cc2446974f3b1f1d084715bd7c6d9a65125cd94c859cd
Opcode Fuzzy Hash: c2ce4a0dc601ad1d7d6c0b5360f450bd24f148ca6d96cacb68083509f885a99d
Instruction Fuzzy Hash: 52012D75A047409FDB60CE5BD845B36FBE4EB04720F088459DD858B656E3B5E504CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B9B08E, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B9B0D2

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f7f870cd779aea226d3a589e06d3c43b7277e10994386798966c4762f1ea1f5e
Instruction ID: 1415e012945682a590e3254250cfe5156d21e365e7675d98f7743db57302b0e1
Opcode Fuzzy Hash: f7f870cd779aea226d3a589e06d3c43b7277e10994386798966c4762f1ea1f5e
Instruction Fuzzy Hash: FD015B32500740DFDF218F95E985B66FFE0EF08320F18C9AADD898A656D375A414DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2552, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 04CE258F

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2f5a346c8c8343c96566a891dbb3c19593d4e2294610a680d3b992ef92b5f431
Instruction ID: 79f27cb7ed27494e4d144cff7c02961300b1cc2d09b45af6f18be3d7bcaccd13
Opcode Fuzzy Hash: 2f5a346c8c8343c96566a891dbb3c19593d4e2294610a680d3b992ef92b5f431
Instruction Fuzzy Hash: 190171756012448FDB20CF1AD985B75FB98EF04320F08C4AADD468B656E374E544CA62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE25FE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04CE263C

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 156779c26203453a22750cabbf2c0abcec43190f9f09e29874f8d5fbf9d1d862
Instruction ID: 84a11fff7987368e3978431fba4f29d14df785282fc17271921d52037b0518e4
Opcode Fuzzy Hash: 156779c26203453a22750cabbf2c0abcec43190f9f09e29874f8d5fbf9d1d862
Instruction Fuzzy Hash: 6601B136600700DFDB208F56D844B66FBA8EF08320F08C5AEDD864B662D375E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00B9AEB2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 00B9AF02

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9cfe13c3b80cd5e84b90cc6cd23e85e82d4159c06a7298030b8be19457aaf138
Instruction ID: 7e105170b7ec8c50853e4b88101e08b6d780510a1ed541c9251894cbb7d4636d
Opcode Fuzzy Hash: 9cfe13c3b80cd5e84b90cc6cd23e85e82d4159c06a7298030b8be19457aaf138
Instruction Fuzzy Hash: B501A271500600ABD224DF1ADC82B36FBA8FB89B20F14815AED084B741E231F516CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A23A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00B9A26C

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: dd0fac211a70cb191f4f4bfd5c109f5df0880f4b23c199261535ea804e5786c0
Instruction ID: 2f40b58c0d8c35670e659df8a9de620b853e12abbd4c86558d75ee08ae4fb86d
Opcode Fuzzy Hash: dd0fac211a70cb191f4f4bfd5c109f5df0880f4b23c199261535ea804e5786c0
Instruction Fuzzy Hash: 9D018F75A043408FDB60CF5AD884766FBD4EF44320F18C4BBDD498F646D679E804CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A662, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00B9A694

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2866f66efc7f23407c73dc2c21e3aec1782e6a6ae6cba748203671449fddee68
Instruction ID: 4d64b6716b3be12b00e54a9744463bfe6f162d977cb3566566405ae0a33754d7
Opcode Fuzzy Hash: 2866f66efc7f23407c73dc2c21e3aec1782e6a6ae6cba748203671449fddee68
Instruction Fuzzy Hash: 6E017C756043409FDB60CF6AE884766FBE4EF04320F18C4BADD498B656D674E808CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2B32, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04CE2B6D

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 815e799d69bf7cc69b997bfbb7666ca2607c411749b8c1b5815ac27087fbd443
Instruction ID: 5d8f5e488b724b88ebe0ad491a18809f28c6efc05d371419ea58ee05060261af
Opcode Fuzzy Hash: 815e799d69bf7cc69b997bfbb7666ca2607c411749b8c1b5815ac27087fbd443
Instruction Fuzzy Hash: FC0171356007009FDB208F56D884B66FBA4EF08320F08C49EDD464B656D375E558DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B9A902, Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00B9A93D

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7f68d3a9227c35538634682d1d3c35a50d3453da6ec3e9277cb82ccce66c91b5
Instruction ID: 6c5d38f73ac8e44176a682fcfaef9f3fe0d5baa1d06135e573dd1bb9e0a9551a
Opcode Fuzzy Hash: 7f68d3a9227c35538634682d1d3c35a50d3453da6ec3e9277cb82ccce66c91b5
Instruction Fuzzy Hash: CD0171365007009FDB608F5AD884B65FBE4FF04720F18C4AEDD864B656D275E418DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B9B97E, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00B9B9BC

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e8e5310104f9a3f4161bd981e8daf9f1c232951b3c79f0ef8993844fe146c741
Instruction ID: de7e8d5e329d27f0612d12cc2d393c881511cb4dbae36b36ac58fe7644b98261
Opcode Fuzzy Hash: e8e5310104f9a3f4161bd981e8daf9f1c232951b3c79f0ef8993844fe146c741
Instruction Fuzzy Hash: EE017C35500700DFDB208F56E985B65FFE0EF08320F18C4AADE890A616D375E418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B9AD52, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00B9AD8C

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 383ef3fc0c4b9b8e56cd4500403edefff2059801bfbeca1084f58724125ac8ae
Instruction ID: 43998e74fb8638e14080eed1b3b6876f7747cde7155b820bd690503a342190da
Opcode Fuzzy Hash: 383ef3fc0c4b9b8e56cd4500403edefff2059801bfbeca1084f58724125ac8ae
Instruction Fuzzy Hash: FD016D756002409FDB60CF5AD889766FBD4EF45721F18C0FADD498BA56E278E804CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE28EE, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04CE2929

Memory Dump Source

Source File: 00000000.00000002.698806212.0000000004CE0000.00000040.00000001.sdmp, Offset: 04CE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e7ed5c5e12bbd82f151e3e5d55904cc1c37a62c90dade11c74c546037672268e
Instruction ID: 96d289574aeee5b4f67ee1487222679af11653f741b04c20b0d5dbd1ce2ea217
Opcode Fuzzy Hash: e7ed5c5e12bbd82f151e3e5d55904cc1c37a62c90dade11c74c546037672268e
Instruction Fuzzy Hash: 9E018F35500344DFDB208F56E884B25FBA4EF08320F08C49ADE850B616D375A518DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00B9AF4A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00B9AF7C

Memory Dump Source

Source File: 00000000.00000002.693096878.0000000000B9A000.00000040.00000001.sdmp, Offset: 00B9A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b029964db016e119a067ca4843aa6f1e47610230341bada39e44796baa05f409
Instruction ID: 5a8324cdd163f9f4c7eb2f88f8cb8967e41ada7842f2ccab89aa089d48ebabde
Opcode Fuzzy Hash: b029964db016e119a067ca4843aa6f1e47610230341bada39e44796baa05f409
Instruction Fuzzy Hash: 58F0AF755007408FDB60CF0AD884765FBE0EF04330F18C4EADD498B656E279A408CAA3

Uniqueness

Uniqueness Score: -1.00%

Function 026F0754, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

#, xrefs: 026F077B

Memory Dump Source

Source File: 00000000.00000002.693298253.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-2455148248
Opcode ID: 91a874eeaf7055927d2346afadf0122765ff22b33ae731969131603a20812770
Instruction ID: dff064ac4240b168079613620e083fc631306a99da363fdebdb3229265d74c94
Opcode Fuzzy Hash: 91a874eeaf7055927d2346afadf0122765ff22b33ae731969131603a20812770
Instruction Fuzzy Hash: 152180355097C08FDB03CB20D950B15BFB1AB46604F19C5DAD9548B6A3D3369806CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04C60B4D, Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

@, xrefs: 04C60B7D

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7f117ed8b2210cd20e9bcee639f3a2b271a5fa6efcb3b5cce69711b6ff7c47c2
Instruction ID: 0fc2b072f5254cd94bac442f59b2872c4d9fd472ac8cc1dce5ad1ba207d98624
Opcode Fuzzy Hash: 7f117ed8b2210cd20e9bcee639f3a2b271a5fa6efcb3b5cce69711b6ff7c47c2
Instruction Fuzzy Hash: ADF09274D08329DFCF60CFA6D984A9EBBB6BB45240F2091DAD05966115D7302A85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 04C60774, Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

?De, xrefs: 04C6077C

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID: ?De
API String ID: 0-2438334392
Opcode ID: 94f8b1a75acdb238200609f2d6e8079420c96193b020b80e3d232424f61b1681
Instruction ID: 0ebe87c225e370aa4241edec1ab9da3efdf060fb26843f4d356a44341eba3f0e
Opcode Fuzzy Hash: 94f8b1a75acdb238200609f2d6e8079420c96193b020b80e3d232424f61b1681
Instruction Fuzzy Hash: 58F012B4C06259DBCB20DFA0C8816DDBBB2FF42700F105AADC0556B214EB310A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04C69450, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf0ed2b6f9a25beb62864e88ca8fdf8441805d2dc6b18092c545040eae1c0c9
Instruction ID: 2769c8b5e70e385b86dd48484cbd989795768c763d08ee28fd8503ed3e8f847c
Opcode Fuzzy Hash: fbf0ed2b6f9a25beb62864e88ca8fdf8441805d2dc6b18092c545040eae1c0c9
Instruction Fuzzy Hash: 4851C8B1E0424CCFDB54CFAAC59069DBBF6FF89300F24852AD416AB255E730A945CF41

Uniqueness

Uniqueness Score: -1.00%

Function 086D66F5, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.703652718.00000000086D0000.00000040.00000001.sdmp, Offset: 086D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59eabff24d1361c9da6208cf0ea5a4e48e1ecf95df42837898a8569bb3c28851
Instruction ID: 8cd7a0ea20327fb83ebf0ea124f67354d43d9073d1655caa0ca0da0997143085
Opcode Fuzzy Hash: 59eabff24d1361c9da6208cf0ea5a4e48e1ecf95df42837898a8569bb3c28851
Instruction Fuzzy Hash: 4511A27188A7D44BC7028F68F4551F9FFB29B03624B3846DFC4805EA63C6B15C85E762

Uniqueness

Uniqueness Score: -1.00%

Function 04C62690, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7969159318ac2642c6866fb0dea7f71533913c4fbf35d82565e7a7e923f6b9fd
Instruction ID: 9f2770f64ebd25e7bd53d7f89897e86b30bbd4386acc032498a544d99cdbe32a
Opcode Fuzzy Hash: 7969159318ac2642c6866fb0dea7f71533913c4fbf35d82565e7a7e923f6b9fd
Instruction Fuzzy Hash: 6531F6B4E0520ACFCB44CF99C5819AEBBF1FF48300F1084AAD815AB314D738AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04C626A0, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc54ee9127d85980badc6fb62cc4c633d01460817855b6eb32e6995d087377d6
Instruction ID: b66b91591c615bf2d1a8e3d53ba1264abba44cb59ff2d7c8828c035d5c4007a8
Opcode Fuzzy Hash: bc54ee9127d85980badc6fb62cc4c633d01460817855b6eb32e6995d087377d6
Instruction Fuzzy Hash: E021B2B4E0420ADFCB44DF9AC5819AEBBF2FF49300F5094AAD825AB314D734AA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04C6279B, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03cfbc4d649a421ae10db37b796150b79e2cc46c68bd8069531d6af61725294f
Instruction ID: e1fdeafd89e8de293e383c04b70b89f3a1b9ae72907511c94016cd9fb0bc2bd6
Opcode Fuzzy Hash: 03cfbc4d649a421ae10db37b796150b79e2cc46c68bd8069531d6af61725294f
Instruction Fuzzy Hash: BC210774E04209DFCB04DF9AC58599EFBF2BF88300F25C99AD405A7214D734AA409F50

Uniqueness

Uniqueness Score: -1.00%

Function 04C69F40, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c98f63392a2ef22701b38e2f6e8bf7e5abe5ccb2a0bc595740fa7ef2be8227e
Instruction ID: 2d53574cc265003e48893ec3c164826c3e883e0ee234d7f676de999abdc26407
Opcode Fuzzy Hash: 1c98f63392a2ef22701b38e2f6e8bf7e5abe5ccb2a0bc595740fa7ef2be8227e
Instruction Fuzzy Hash: D521A2B0E0A209EECB04DFF5D29155DFBB9EB85200F25D89EC403A7240E634EB00DB45

Uniqueness

Uniqueness Score: -1.00%

Function 026F078C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693298253.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a251d1d0a1c71d91715415d4724cc691ab29475fa8f93f3f60e5950052aa94aa
Instruction ID: 24ac3385479abda81eeedc4d7f56178d1411d6aa3a85b573e319466921fe93fa
Opcode Fuzzy Hash: a251d1d0a1c71d91715415d4724cc691ab29475fa8f93f3f60e5950052aa94aa
Instruction Fuzzy Hash: 6011D635244344DFDB55CB14D944B26FB95EB88708F24C5ACEA490B757C77BD803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04C64223, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa05dcca26faae69a6cde270b608e2d8ed10ed66dd159b0f962fe45e5ed78b8
Instruction ID: 071820a041bd9c7e27e231f1bd08af7cdf24d45ae657835cadbd742f9cc44def
Opcode Fuzzy Hash: 0fa05dcca26faae69a6cde270b608e2d8ed10ed66dd159b0f962fe45e5ed78b8
Instruction Fuzzy Hash: 96112E70E14149DBCB08DFAAC5846AEFBF1FF89304F24C9AAD415A7214D730AB45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 04C64219, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4106c007ebffd3661cf015d42a946800ff8c7911bcfd667553c231ea64ea3a2f
Instruction ID: 469be09748e08c5c0ea3256349bb6a9319629aa65f646fc6432edf5c39c01bbc
Opcode Fuzzy Hash: 4106c007ebffd3661cf015d42a946800ff8c7911bcfd667553c231ea64ea3a2f
Instruction Fuzzy Hash: 45111F70E15249DBDB08CF96C5849AEBBB1FF89204F24D996D426AB254D734AB009B48

Uniqueness

Uniqueness Score: -1.00%

Function 04C60070, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fab5f5f2413ce04068d50adf31e064f33ec8d850fe9efe5ccbd8b310ccf6e4e
Instruction ID: e6779a9f542f6c7dd5c25389f8273fc622505e869810464c2ae810bc61e3f20b
Opcode Fuzzy Hash: 6fab5f5f2413ce04068d50adf31e064f33ec8d850fe9efe5ccbd8b310ccf6e4e
Instruction Fuzzy Hash: 26019E34905309EFCB04CFF2D58625EBFB2EB4A715F20D5AAD006A7254DB70AB51DA11

Uniqueness

Uniqueness Score: -1.00%

Function 026F05CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693298253.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecf0bf871f815d50d313fa79138bff2fceddebd7eb6cbf67df00e587ad301dc
Instruction ID: 65311644d1ebbf2dac66329270bb67b03033ef894fb979ebe31678c82349bf93
Opcode Fuzzy Hash: 0ecf0bf871f815d50d313fa79138bff2fceddebd7eb6cbf67df00e587ad301dc
Instruction Fuzzy Hash: B301A2765097806FD7128B1A9C40862FFA8DF86230719C49BEC898B613D225A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04C6006B, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22e41ffaa30ac226ea637635284785997452ac318286687f50cd076a962d6b0
Instruction ID: e6ca6dffb9401224d6c440d24ae6e0527faea8700fefca4e80830ba3e232d4b7
Opcode Fuzzy Hash: c22e41ffaa30ac226ea637635284785997452ac318286687f50cd076a962d6b0
Instruction Fuzzy Hash: 7D01CC34905209EFCB04CFB2D58A14EBFB2FB86715F20D5AAD006A7214DB309B51CA11

Uniqueness

Uniqueness Score: -1.00%

Function 04C6054D, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f154b28aa99d5887477db5a319418585040f43ebcdb34742f41705e286d805
Instruction ID: 74883bf5ef1585a2e805166fc6533e7a179c50918550ca9e7f7a7ddfeecd2660
Opcode Fuzzy Hash: f5f154b28aa99d5887477db5a319418585040f43ebcdb34742f41705e286d805
Instruction Fuzzy Hash: E411E2B4D002198FCB24DF64C881ADDF7B2FF0A300F14869AD159AB205D734AA81CF84

Uniqueness

Uniqueness Score: -1.00%

Function 04FC4093, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1ca7eccc1549e4b99474f30418bcb726dc853e95621fd7b1e1952a629ee1cd
Instruction ID: 3a8c2ed31d527c61f873eab9b8785dd098e4324f78625ef4df2de8f51b09d20b
Opcode Fuzzy Hash: 6b1ca7eccc1549e4b99474f30418bcb726dc853e95621fd7b1e1952a629ee1cd
Instruction Fuzzy Hash: AD010C35A45618DFCB20CF64CC40A9AB7B1FF4A302F5096E9D959AB3A0D771AE41CF01

Uniqueness

Uniqueness Score: -1.00%

Function 04C642FB, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9708bf27b0af4ec53c03148258be145c5ccd87df9e28d69924ea08ff7d24364f
Instruction ID: 9fbdec33dab611e04dbddc8499fddef98faaf58c231b510932b5f6b9da1ebd8e
Opcode Fuzzy Hash: 9708bf27b0af4ec53c03148258be145c5ccd87df9e28d69924ea08ff7d24364f
Instruction Fuzzy Hash: 4A016B78A00104DFCB05DBA9D589A5DFBF2EF89300F15C0A5D9099B365DA70DD51CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04C64300, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead74cc8f03dc8b58fab62bc23fd86510fd50a0808e8fe89789902293cac73de
Instruction ID: a7ed9142d45e59f119443e5369f2127af5af0e28336edd585f08afc12896c6dd
Opcode Fuzzy Hash: ead74cc8f03dc8b58fab62bc23fd86510fd50a0808e8fe89789902293cac73de
Instruction Fuzzy Hash: D4F06678A00208AFCB04DBA9D589A5DFBF1EF49300F15C0A599099B361DA70ED50CB41

Uniqueness

Uniqueness Score: -1.00%

Function 026F0638, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693298253.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0901566a95b5a64bceeb6ff83b7b2b88211e346358c6ba0e647fa42fe0066c
Instruction ID: 3c1ec6e034c4418b3cb1c9cedf4cdf20af117c6e0106ea86eae817b8c31c1a1b
Opcode Fuzzy Hash: 6a0901566a95b5a64bceeb6ff83b7b2b88211e346358c6ba0e647fa42fe0066c
Instruction Fuzzy Hash: 7FF0E5B750C3404FD7468E15BC110A2BBE0DB8223072A44FBC849CF293E526EA4CC776

Uniqueness

Uniqueness Score: -1.00%

Function 026F0848, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693298253.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: fd65ffd1ec1d0e68e96dacf48cb0dcbe819b8b82ca38774ce9aa100791f91e79
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: EDF01935208644DFC716CF40D940B26FBA2EB89718F24C6ADE9990B766C337E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 04C6048E, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5c7f761e0f60f818e7b4efac5efac4a8f667a4f107c07e9658afef07ff8763
Instruction ID: fd1675e1f578cecfe7911284f632e82e1175429c86505c634dc2d0ab2b3ecac3
Opcode Fuzzy Hash: 1c5c7f761e0f60f818e7b4efac5efac4a8f667a4f107c07e9658afef07ff8763
Instruction Fuzzy Hash: 39F0FF78D05259CACB70CF61C8516DDFBB2BF4A340F1055D9854E7B245D73059818F41

Uniqueness

Uniqueness Score: -1.00%

Function 04FC38BF, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbf53b4c74f5355ec9d30d23cfbe11209d608614084cb07fadb5f6bc6090991
Instruction ID: ba66cca74d784f378fe143934512b83d967966a18bf34a0bec115cf3239f4f5d
Opcode Fuzzy Hash: 2bbf53b4c74f5355ec9d30d23cfbe11209d608614084cb07fadb5f6bc6090991
Instruction Fuzzy Hash: B2F0EC34E54214DFC751CB54DD55BA9BBB5EB8A301F1051E99409AB395CB746E408F40

Uniqueness

Uniqueness Score: -1.00%

Function 026F05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693298253.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bca4d1d668630fbbfff989dcf89794bf89f06affa62138a7dacb30eb9f43c15
Instruction ID: 3b0abdd91b03bbe2e109fc43c4f53dd43176a72221231990b8ab40c08efa693b
Opcode Fuzzy Hash: 0bca4d1d668630fbbfff989dcf89794bf89f06affa62138a7dacb30eb9f43c15
Instruction Fuzzy Hash: 03E092766406009BD650CF0AEC41466FBD8EB88630B18C47FDC4D8B701E535F504CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 04FC099F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d147a4819f1d0bac302732cdd50ff7ac915a2946e8f1ade1bee173d8fe8a25c7
Instruction ID: afc796304d71bfea920c5783f33fbcae43e343305bfe7ed5c9a754aed13d2a88
Opcode Fuzzy Hash: d147a4819f1d0bac302732cdd50ff7ac915a2946e8f1ade1bee173d8fe8a25c7
Instruction Fuzzy Hash: FEF09030D44256CFCB14DF64C895AA9BBB2FF85308F1085FAC4095E256C736AA41DF80

Uniqueness

Uniqueness Score: -1.00%

Function 04C63882, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ef1ce1fb269e0a5ca48d043b9426a890248ce4efa39d3ce7d126103422e5e3
Instruction ID: 8bc7b2b7764fffe83b9e74d9c19ba47f6014326b7ec1964d200517a6aa44d2a4
Opcode Fuzzy Hash: 37ef1ce1fb269e0a5ca48d043b9426a890248ce4efa39d3ce7d126103422e5e3
Instruction Fuzzy Hash: AFF09778C162A8CFCB619F61D8957DCBBB0FB0A311F1041EAC55A6A254DB355BD0DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2B69, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c421c4ef3a051e4a96bb7b77995483cc075a0705af85a1b167dfa843e7d80c
Instruction ID: 915ab744a03aea21f4d94f47d425515468afc7112231d14a29d81e81c6a827a1
Opcode Fuzzy Hash: 95c421c4ef3a051e4a96bb7b77995483cc075a0705af85a1b167dfa843e7d80c
Instruction Fuzzy Hash: 14F0F930D4522F8BCB24CB98D944B9DB7B1FF84705F1096EA800D6B608DB38BE818F90

Uniqueness

Uniqueness Score: -1.00%

Function 086D6194, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.703652718.00000000086D0000.00000040.00000001.sdmp, Offset: 086D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb81b9bf6d8828189783411092c4bc733a8317cde72b7da787a976fd0378ddc
Instruction ID: 0bfdab9f0bcb4d39842b9cd74e011e3850bdc48fc50f4eb87ccfd09f29820771
Opcode Fuzzy Hash: abb81b9bf6d8828189783411092c4bc733a8317cde72b7da787a976fd0378ddc
Instruction Fuzzy Hash: ABF0E274814218CFCB64DF24D88E6D8BBB1FB59311F1082A6D96AA3258DBB01AC1CF80

Uniqueness

Uniqueness Score: -1.00%

Function 04C693F3, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca6e11c7251d852382bda7f4191049bd672326c002610018f9e9df181429fd3
Instruction ID: a032ff62c5ec4887dd5b0d3da17545acb22def75eaf9324b2b6407ec43d36548
Opcode Fuzzy Hash: 5ca6e11c7251d852382bda7f4191049bd672326c002610018f9e9df181429fd3
Instruction Fuzzy Hash: E1F015B0D0120ACFCB44EFB8D8442AEBBF1BB04604F1044B9D805A7340EB306A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 086DC1C0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.703652718.00000000086D0000.00000040.00000001.sdmp, Offset: 086D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4e037d4784a72f184401eaff1ee01b1a3dd3f58e2c4b9e83cd2bf57f56f847
Instruction ID: 01cc51626b255333339d1b8272698b344c306893949f5b214a1383297899eee1
Opcode Fuzzy Hash: 8a4e037d4784a72f184401eaff1ee01b1a3dd3f58e2c4b9e83cd2bf57f56f847
Instruction Fuzzy Hash: B1E04F3094030CDBC700EFA4E84A66D7B34FB46702F105169D805233A4DF706941CA90

Uniqueness

Uniqueness Score: -1.00%

Function 04C67E76, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917fcf14319229603fd3a3aa532d1b4702a8dc4d35856599280cafe9cdb60104
Instruction ID: 4904e95fa00ff21c6261cee6857d7c7095f69a1c30afd7faad77a2e29541976a
Opcode Fuzzy Hash: 917fcf14319229603fd3a3aa532d1b4702a8dc4d35856599280cafe9cdb60104
Instruction Fuzzy Hash: 3BE03974E092688FDB10CF518850BDAFBB2BB46314F0491E5C44AA3241D33469859F46

Uniqueness

Uniqueness Score: -1.00%

Function 04C693A3, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe59ab93782bd10cd18e0237021b31151e931f664cad682e2f2dc903fa0a6a4a
Instruction ID: 395eeab90df2cde077461066a00f8455b6b2373e124b028543136814a3374f59
Opcode Fuzzy Hash: fe59ab93782bd10cd18e0237021b31151e931f664cad682e2f2dc903fa0a6a4a
Instruction Fuzzy Hash: 35E0DF78804240CFC705EFBCEA996587FF0EB05309F2440AEC806D3261D6309A98C702

Uniqueness

Uniqueness Score: -1.00%

Function 04C67F6A, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef40dc07dc4b9c07bd630c0935aa3b29aff039faf5e79c7bcc5529fe09a68d2e
Instruction ID: 07a80db8413c68ed2e97e4bb9655e987a6088a65f223a44277e4559a0a41e918
Opcode Fuzzy Hash: ef40dc07dc4b9c07bd630c0935aa3b29aff039faf5e79c7bcc5529fe09a68d2e
Instruction Fuzzy Hash: 34E0E5B4E042089FDB04CF96C880B9AFBF6AF9D310F15D0A59108BB254E7309A458F25

Uniqueness

Uniqueness Score: -1.00%

Function 04C693B0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11964ee5426cbd1b339f5f2328f222886018a276c12294536f78240e49443f75
Instruction ID: d25ad8ca4d07cb9ffeebb8f22e420b9545aa647391da4eaf3ecc1cac86371b46
Opcode Fuzzy Hash: 11964ee5426cbd1b339f5f2328f222886018a276c12294536f78240e49443f75
Instruction Fuzzy Hash: 3FE01278900208DFC744FFBCD8496687BF4EB05709F1444B9DC0693350DA716A94CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04FC164B, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8880e741cd0bf8100302fcc34daf59c91763c0168a91cdcf81e804bec5541d
Instruction ID: 99432a7c730fc838d7e8cfe00d989e47c20ad850cbd2a743674184bcb54f4e26
Opcode Fuzzy Hash: 0d8880e741cd0bf8100302fcc34daf59c91763c0168a91cdcf81e804bec5541d
Instruction Fuzzy Hash: 2CE01AB5949219DFCB50CF60C90459DB7F5FB49204F0088E9C409A7210DF705942CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00B923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693087997.0000000000B92000.00000040.00000001.sdmp, Offset: 00B92000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0586917834cd1fd7e6d631a1c400b05620717b51ddf04181cddee4ef6067a29e
Instruction ID: 9ae710b1e6219ffb1e0cc24ba9acc270e1aa3d510c70064f584d7b50c7dc8790
Opcode Fuzzy Hash: 0586917834cd1fd7e6d631a1c400b05620717b51ddf04181cddee4ef6067a29e
Instruction Fuzzy Hash: F3D05E79605A915FD7268B1CC1A9B953BD4EB61B04F4684F9E8008B767C369DA81D200

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0264, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83a7b52fc661cfebf53f97e8960426d38b1fd6e809d3c42752103ec22406684
Instruction ID: ab5017fc708d192ebb7ac4713026bc5a2ebc2e5fcd740787eccf5954b30f265b
Opcode Fuzzy Hash: e83a7b52fc661cfebf53f97e8960426d38b1fd6e809d3c42752103ec22406684
Instruction Fuzzy Hash: C2E0BF31D5422E9FC714DB58C9806DDB7B2FF84200F115AAA90195B194DB78BE818FC0

Uniqueness

Uniqueness Score: -1.00%

Function 00B923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.693087997.0000000000B92000.00000040.00000001.sdmp, Offset: 00B92000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44edc994ec1b7a399c9d46bc391b5a4ace16fb1b1499f1b8c91787c46b2580eb
Instruction ID: a223c30296b15f12e4a726fd6433b677a9a4f4b238a45322378436b660756391
Opcode Fuzzy Hash: 44edc994ec1b7a399c9d46bc391b5a4ace16fb1b1499f1b8c91787c46b2580eb
Instruction Fuzzy Hash: 09D05E346042814FCB15DB0CC194F593BD4EB41B00F0644F8AC008B266C7A8DC81C600

Uniqueness

Uniqueness Score: -1.00%

Function 04C67906, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e060917ef09f14d219964c453bf58977de35f0614345569b6d803d12c2e7aa6
Instruction ID: 39da5056a04e8bf0f2bb8a1ee0507f3f25e84c38c211b4e85935072fe4f08997
Opcode Fuzzy Hash: 7e060917ef09f14d219964c453bf58977de35f0614345569b6d803d12c2e7aa6
Instruction Fuzzy Hash: E9D05E34E082199BCB10CEE0C54078EBBB5AB05304F1090955409E7240DB309B45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04C6800C, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e430006b73cd4bff85906e591360de3c797a9ea4d6a3c397ad5d7d6dcfa5385f
Instruction ID: d4686be36ba3ba06ebc2f43bdba2f38c426fd1b4813a24ed272de5b94c66c319
Opcode Fuzzy Hash: e430006b73cd4bff85906e591360de3c797a9ea4d6a3c397ad5d7d6dcfa5385f
Instruction Fuzzy Hash: AFD09E74D042189BCB50CF91C84179EBBF5AB49300F1094D58046B7241D7359A40DF55

Uniqueness

Uniqueness Score: -1.00%

Function 04C676C1, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466cd27bdb34b229ae91704fff718d82af8d68601c7f40d09b2fa68739de20a1
Instruction ID: 2f27c313615e253a8f56722d89b3d3300fcdfa3a9df23f5f24a866613ce13b98
Opcode Fuzzy Hash: 466cd27bdb34b229ae91704fff718d82af8d68601c7f40d09b2fa68739de20a1
Instruction Fuzzy Hash: 4DD012B4E082488BDB40CFD4C441FAEFBB5AB45300F0090D99109B7280D7349A04DF36

Uniqueness

Uniqueness Score: -1.00%

Function 04C618DB, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ed7295dbe305e3b46e22b100d0e6749e219156401f6e8618abdff9d2a630ac
Instruction ID: e5b66f39fd6dcd0d0afab8062572da32842e88e39c678635ff539f0509bedd73
Opcode Fuzzy Hash: 14ed7295dbe305e3b46e22b100d0e6749e219156401f6e8618abdff9d2a630ac
Instruction Fuzzy Hash: D4D05E7090221ADFCB50DF54DCC6B8CB7B2FB41340F000699E40B97114DB309A41CF44

Uniqueness

Uniqueness Score: -1.00%

Function 04C67691, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ff999bb80367b89660b4c3774026ae79c20f9abaa9ea6170d6c0697fe09478
Instruction ID: 91a8086ebf0c6e077ca2d07deb6d8eb87a18e9672e791c0c96179dfb2f7fad37
Opcode Fuzzy Hash: 26ff999bb80367b89660b4c3774026ae79c20f9abaa9ea6170d6c0697fe09478
Instruction Fuzzy Hash: A1D0C975E082158FDB54CEA0D44179BFAB5AB45300F00A4D65019E6255D7345A40CF65

Uniqueness

Uniqueness Score: -1.00%

Function 04C63A4E, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50327055c9f8febe37ed678258c53c6c0f42883360a1f57004fd99fcdfc0042
Instruction ID: 5d8da059090fc56fadea0a8baa89f036f5ca8369009331dba32357e0449e324a
Opcode Fuzzy Hash: d50327055c9f8febe37ed678258c53c6c0f42883360a1f57004fd99fcdfc0042
Instruction Fuzzy Hash: 14D06C74A01258CFCB14CF60CA809AEBBB2EB4A302F2140A9E80977314C772AE81DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04C67E39, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7f771bcc946f7bcb8e57aca19f808c66ca17d1507df7277f3df3e3e80c172c
Instruction ID: 272a0ef3fdc77a0b65e36df5effb48341cd17f24b4dcdb134c4d3f699654fb37
Opcode Fuzzy Hash: aa7f771bcc946f7bcb8e57aca19f808c66ca17d1507df7277f3df3e3e80c172c
Instruction Fuzzy Hash: 65C01278E082089BCB40CF94C840B9EBBB6BB49300F00A1D58009B3242E7309A408F19

Uniqueness

Uniqueness Score: -1.00%

Function 04C63749, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634c78fa8a70290bfeeb954774a176748f67c839256eb1d0e2cf8b8b74077b79
Instruction ID: 1897ffb26d626c17a5426dc7703c36e13ce376df34973a2c1a853729cdfc99a9
Opcode Fuzzy Hash: 634c78fa8a70290bfeeb954774a176748f67c839256eb1d0e2cf8b8b74077b79
Instruction Fuzzy Hash: 61D0127190D1819ECB40DF94D5965597770FB4231172420B684269E06DC370C500DF91

Uniqueness

Uniqueness Score: -1.00%

Function 04C67D58, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3534e16efaff7fee9f8269ffed546332a1a3559f0cbaa56b8b150b45010caf
Instruction ID: b7636f74b4d2d4283fe6858f6706557ec539bfe6f9e902d998f7387f9ce101e3
Opcode Fuzzy Hash: 8c3534e16efaff7fee9f8269ffed546332a1a3559f0cbaa56b8b150b45010caf
Instruction Fuzzy Hash: 40C002B8E082189FDB50DFA0C881BDFBBB6AB49310F1561A99109B3251D7305A81DF19

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04FCC750, Relevance: 3.9, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

:@pq, xrefs: 04FCC86C
>_uq, xrefs: 04FCC889
f]uq, xrefs: 04FCC7A0

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: :@pq$>_uq$f]uq
API String ID: 0-1736331789
Opcode ID: 94a2e2795c8bdd66afa7a5d7b3428596aa1bd3de6039a5c585cab1c5d7249ea4
Instruction ID: 548d435c7d0f6b98ee1e9a84d1e284904a2c50664b1fc8a8739e6eea54fd912c
Opcode Fuzzy Hash: 94a2e2795c8bdd66afa7a5d7b3428596aa1bd3de6039a5c585cab1c5d7249ea4
Instruction Fuzzy Hash: 6A514570E012098FD744DF6EE94A79EBBF2FF89304F14C16AD108A7669DF7058068B91

Uniqueness

Uniqueness Score: -1.00%

Function 04C65440, Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

<l{, xrefs: 04C65554
<l{, xrefs: 04C6556B

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID: <l{$<l{
API String ID: 0-2950375838
Opcode ID: 561c1d25bc479cebf23a6cd21343e53eedecb06fd3544c669f22816bbf0fce2d
Instruction ID: 82315539393926b7cd366a8cb7479616eba08b84aab62e3e167fd8cbaaa7d012
Opcode Fuzzy Hash: 561c1d25bc479cebf23a6cd21343e53eedecb06fd3544c669f22816bbf0fce2d
Instruction Fuzzy Hash: 0F51E874E15219EFCB04CF99E5809AEFBB2FF48340F248599D816B7214E334AA41DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C6543B, Relevance: 2.6, Strings: 2, Instructions: 138COMMON

Download Yara Rule

Strings

<l{, xrefs: 04C65554
<l{, xrefs: 04C6556B

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID: <l{$<l{
API String ID: 0-2950375838
Opcode ID: cb69841108c25af9a9a433d9a2468803f900effbadb27ec445b6d416b2187944
Instruction ID: 69a07979de36cb856a60686c270d2fb1917dd19aa85ad716f8784bb87b55a9aa
Opcode Fuzzy Hash: cb69841108c25af9a9a433d9a2468803f900effbadb27ec445b6d416b2187944
Instruction Fuzzy Hash: 5251E874E15219EFCB04CF99E5809AEFBB2FF48341F24C596D816A7214E330AA41DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 086D1B27, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

9, xrefs: 086D1E4E

Memory Dump Source

Source File: 00000000.00000002.703652718.00000000086D0000.00000040.00000001.sdmp, Offset: 086D0000, based on PE: false

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: b0b8e9470fe1fd8c71c187522bef0dbf2360f4763c87d1f6006ee9577566d578
Instruction ID: 3ae7234f7d38e3f7f0e0074bb972192fbdbbabb8c224f28bdd4f1ac788a930b9
Opcode Fuzzy Hash: b0b8e9470fe1fd8c71c187522bef0dbf2360f4763c87d1f6006ee9577566d578
Instruction Fuzzy Hash: C4918EB1E006288BDBA4DF29C9917C8BBF5EF4A300F1181E9D14CA6255EB319ED5CF16

Uniqueness

Uniqueness Score: -1.00%

Function 04C60128, Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

<, xrefs: 04C6023C

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: cba907657c00bcafa2bf46fbff008c55932fa2e90e39eed3213c1d5755284e38
Instruction ID: 2ec9376dfcf33e0f6d052cec7d6c270501d62168d44676b4e47ab477264dbaaf
Opcode Fuzzy Hash: cba907657c00bcafa2bf46fbff008c55932fa2e90e39eed3213c1d5755284e38
Instruction Fuzzy Hash: 4251B375E046189FDB58CFAAC9446DDBBF2AF89301F14C0AAD40DAB265EB305A85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 04FC7210, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532731d9923239f8b00c2245198ce9bbed4c6b9f4742410ad100345052b79793
Instruction ID: 4f706c1fc74575a30ca91394dd16eac8044850e94f047b43f1f3f9526e372c05
Opcode Fuzzy Hash: 532731d9923239f8b00c2245198ce9bbed4c6b9f4742410ad100345052b79793
Instruction Fuzzy Hash: 73E13774E0425ADFCB04DFA9C6809ADFBF2FB89304F248169D815AB345D771AA42DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C687F8, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e07aa35976d645677db5988c99b201e077a8fe151913f182d623fe84145a85
Instruction ID: 36cc8297fcb95142674f29e4bd58eb8222d19f2b1fcb50e970b72cff5b61706b
Opcode Fuzzy Hash: a0e07aa35976d645677db5988c99b201e077a8fe151913f182d623fe84145a85
Instruction Fuzzy Hash: CDA14674E05219DFCB14DFA6C4806ADBBB2FF89300F14C56AC40AAB345D734AA42DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04C6887C, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc932e27f5fbf37ef9b3cf75deb5ced4bf38c6a54a7de2d2e6b56df34799dc01
Instruction ID: 3143e42080e5aceb79965524ed31f1a7eb558f08e0606964611b5aed61860499
Opcode Fuzzy Hash: bc932e27f5fbf37ef9b3cf75deb5ced4bf38c6a54a7de2d2e6b56df34799dc01
Instruction Fuzzy Hash: 2AA13474E05219DFCF10DFA9C480AADBBB2FF49344F1485AAD40AAB355D734AA42DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04FC6C20, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698937071.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7ed323ae13d7d57e968529d34f20c688ff51ad8dd6b23be0ee4da86bbcb10d
Instruction ID: 00bb7bf1e27d838d6eb2814e30ece70adaf06421401704b2733db6494c286f22
Opcode Fuzzy Hash: ca7ed323ae13d7d57e968529d34f20c688ff51ad8dd6b23be0ee4da86bbcb10d
Instruction Fuzzy Hash: C791F574D0425ADFDB14DFA9C6805ADFBB2FF89304F24C56AD815AB205D334AA42DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C687F3, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcb371794a798561fd59b75303ba7de2c30c3043c8a2272de50252445d9ed59
Instruction ID: 4c3445af36536548a470b53b5d3aea36c7f3c4201122583019f00f3b73f8a656
Opcode Fuzzy Hash: bdcb371794a798561fd59b75303ba7de2c30c3043c8a2272de50252445d9ed59
Instruction Fuzzy Hash: 67914674E05219DFCF14DFAAC5806ADBBB2FF89300F14C56AC40AAB255D734AA42DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04C68A22, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150aa5418e2a2c4f55fb4771a4ed9217f91c051e517d252cdff3d27158a0fd48
Instruction ID: acb8fbb6a1cb91fd4121d9eb59bd02ad8fbbe0894e26999d4d207d76b04447e6
Opcode Fuzzy Hash: 150aa5418e2a2c4f55fb4771a4ed9217f91c051e517d252cdff3d27158a0fd48
Instruction Fuzzy Hash: E2814474E05219DFCF10DFA9C580AADBBB2FB49344F14C5AAC40AAB345D734AA42DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04C68DC8, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e8e2b93fc9a4c6d736726fc2c526a1e35badde0d6b2acea62b8901efeefe8b
Instruction ID: ae4d7a7499cd048cc694e6dca24cda2552c3ef01b14c62753fce02cdd3a18098
Opcode Fuzzy Hash: c5e8e2b93fc9a4c6d736726fc2c526a1e35badde0d6b2acea62b8901efeefe8b
Instruction Fuzzy Hash: 9C710778D04259DBCB04DFA9C5804ACFBB3FB89304F24C569D819AB349D771AA42DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C68DC3, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab787436077cd8c9fe682e690ef31f1bb504f209300e123d5ad771774816f07
Instruction ID: 314bb17a18abd6ae3f3601789f8dccb765e54c5dc4205d357a1b29a8e8b0434b
Opcode Fuzzy Hash: 1ab787436077cd8c9fe682e690ef31f1bb504f209300e123d5ad771774816f07
Instruction Fuzzy Hash: 2A710678D04259DBCB04DFA9C5804ADFBB3FB89304F24C569D819AB309D771AA42DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C649C8, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0554fd4c21e98f6a40d4eb174935d6d04d7ac27b318871c435bc7a6210f18633
Instruction ID: 0db85cd5a7dbba1659529f9eca204cf65ebd08797012201281307bb0cdd92628
Opcode Fuzzy Hash: 0554fd4c21e98f6a40d4eb174935d6d04d7ac27b318871c435bc7a6210f18633
Instruction Fuzzy Hash: 5D61CC70E25209EFCB04CFA9D484A9DBBF2FF49310F15C5AAE416AB211D734AA40CF58

Uniqueness

Uniqueness Score: -1.00%

Function 04C649C3, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dddc9fdc46bd2b9c9c30493575e9064666851fadc930c4d74f1717c227d55e83
Instruction ID: 01d8939e7357acc0f8bbeb8b1dd858dbc77eecbf61f4ce1747e37bccf0a605cd
Opcode Fuzzy Hash: dddc9fdc46bd2b9c9c30493575e9064666851fadc930c4d74f1717c227d55e83
Instruction Fuzzy Hash: 0961CE74E25209EFCB04CFA9D48499DBBF2FF89350F14C5A9E416AB211D734AA41CF18

Uniqueness

Uniqueness Score: -1.00%

Function 04C65BE8, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45052c12de6e15813393a879cad6ebe5a7a87230fc5ccbb5e082dfc916f3190
Instruction ID: 9e2be4886fd5d1b6375eb2fb9d1d2828e482935c02e4c71749b100e65e82c042
Opcode Fuzzy Hash: a45052c12de6e15813393a879cad6ebe5a7a87230fc5ccbb5e082dfc916f3190
Instruction Fuzzy Hash: 1D61D375E1521EAFCF04CFA6D5815AEFBF2FB48200F64D56AD416B7214D338A6028F54

Uniqueness

Uniqueness Score: -1.00%

Function 04C65BE3, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4899c0e2e0c9d204631699c12ad1ad871dec8329868f07d5878ad491f7bbad
Instruction ID: cb27d46d1e4f2606d5a145ca85a894434861849c6bbd784527e60c5936687d4f
Opcode Fuzzy Hash: 1d4899c0e2e0c9d204631699c12ad1ad871dec8329868f07d5878ad491f7bbad
Instruction Fuzzy Hash: 7951C375E1521EAFCF04CFA6D5815AEFBF2FB88200F64D56AD416B7214D338A6028F54

Uniqueness

Uniqueness Score: -1.00%

Function 04C65FC9, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3d2226c673428dd245ff2a05e3ff4483676e15a0398b0bab881b0a8599c2a8
Instruction ID: 625fb1e091c73d4c707b587b6dc8fc4334c64307fa24be7c4ae4d9895224e831
Opcode Fuzzy Hash: 7c3d2226c673428dd245ff2a05e3ff4483676e15a0398b0bab881b0a8599c2a8
Instruction Fuzzy Hash: 87416E75E056188BEB5CDF6B8D4469EFBF3AFC9300F14C1BA854CA6225DB341A458F11

Uniqueness

Uniqueness Score: -1.00%

Function 086D0070, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.703652718.00000000086D0000.00000040.00000001.sdmp, Offset: 086D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f6d487eac156be0f399223ee96743e8ecd15ca6b91c670a8369b174502018e
Instruction ID: d91c059549fc4d41bf186c74d9b0296c12b0b3bbd0b4ee91e16058d4e4d4a34c
Opcode Fuzzy Hash: e6f6d487eac156be0f399223ee96743e8ecd15ca6b91c670a8369b174502018e
Instruction Fuzzy Hash: 1D4161B1E006188BEB5CCF6B8D4078AFAF7AFC9200F15C1BAC51CA7215DB7049868F55

Uniqueness

Uniqueness Score: -1.00%

Function 086D006B, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.703652718.00000000086D0000.00000040.00000001.sdmp, Offset: 086D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f7c93deb1eaf7c6a536efe68feba186487fbc0c79db34224ac25ec44e3ca2d
Instruction ID: aba350a5c76e6f1ee1d63b9a3f98f1d70805a25621a4a155e1231ba0c99105f2
Opcode Fuzzy Hash: 96f7c93deb1eaf7c6a536efe68feba186487fbc0c79db34224ac25ec44e3ca2d
Instruction Fuzzy Hash: 184152B1E016188BEB5CCF6B8D4069AFAF7AFC9300F15C1B9C51CAB215DB7045868F55

Uniqueness

Uniqueness Score: -1.00%

Function 04C659F8, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c02c91e7bb4b35fbc283122d13cd0dc4806f9c00f0d212e0d519447188369e
Instruction ID: 08ef513aba1cfef97335624329c30fae0a30176d635633d6e566e163c9b8fa12
Opcode Fuzzy Hash: a7c02c91e7bb4b35fbc283122d13cd0dc4806f9c00f0d212e0d519447188369e
Instruction Fuzzy Hash: 78411571D0520AEFCB04CFD6D9815AEBBF2EF89300F24D46AC412AB211D234A6519F95

Uniqueness

Uniqueness Score: -1.00%

Function 04C65E28, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33c4f900938f78f71dd344faf5caad48c9ad1d81a53daa6c50da5cc19537b38
Instruction ID: 4184f344adc782bcfad2bb059d63b8a13f15843fd925ff44bd2af4ab7f8c4a89
Opcode Fuzzy Hash: e33c4f900938f78f71dd344faf5caad48c9ad1d81a53daa6c50da5cc19537b38
Instruction Fuzzy Hash: 8741F6B4E05209DFDF04CFA6D5804AEFBB2BB99300F24D46AC416B7214E734AA41DB55

Uniqueness

Uniqueness Score: -1.00%

Function 04C65A08, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e5d690e435da1682046f94c88e7aea88bc4fa62a196fe780c998d781e2fab6
Instruction ID: ab8fdb5dadb804a70526d12f9bfacdf3984f7c378845a213e3a3de340379de59
Opcode Fuzzy Hash: 96e5d690e435da1682046f94c88e7aea88bc4fa62a196fe780c998d781e2fab6
Instruction Fuzzy Hash: 50411471D1520AEFCB04CFDAD9815AEFBB2FF88300F24C56AC412AB215E334A6519F95

Uniqueness

Uniqueness Score: -1.00%

Function 04C65E38, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411e55a8019279af8876cf2fa0d775504fe6e6b7b52a9bac136608b8a3713eef
Instruction ID: 95251fc76051afbb2b6d99ed7d25f955763ba01d881a604f6ecd7907575aa59b
Opcode Fuzzy Hash: 411e55a8019279af8876cf2fa0d775504fe6e6b7b52a9bac136608b8a3713eef
Instruction Fuzzy Hash: AF41F570E0520AEFDF08CF96D5805AEFBB2BB89300F24D469C416B7214E734AA41DF94

Uniqueness

Uniqueness Score: -1.00%

Function 04C69620, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b3708c1e5d093b952adce852117d62019dc17bf18633efc1b14dfb8ad68b45
Instruction ID: 0628c54e755b4f09524475fb13148389673492627ffe6567743bbf1a51ad1e9f
Opcode Fuzzy Hash: 84b3708c1e5d093b952adce852117d62019dc17bf18633efc1b14dfb8ad68b45
Instruction Fuzzy Hash: BB1196B1E05609DBDB18DFABC94119EFBF7AFC9200F24C57A8418A7215EB345A518F40

Uniqueness

Uniqueness Score: -1.00%

Function 04C6961B, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.698757970.0000000004C60000.00000040.00000001.sdmp, Offset: 04C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e589b239973767882ae77ce8c956fca661ccb4c830e1e918463090d8350a502
Instruction ID: f49070c1e55d38c93a9ec2434d1c6f19ee818b3979a5d6f81a91600fc87a6001
Opcode Fuzzy Hash: 3e589b239973767882ae77ce8c956fca661ccb4c830e1e918463090d8350a502
Instruction Fuzzy Hash: 611175B1E116199BDB58CFAB894029EFBF3AFC8200F24C57A8414A7215EA349A568F50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exe PID: 6296 Parent PID: 3424 dhcpmon.exeCOMMON

Executed Functions

Function 012DA4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,47D63520,00000000,00000000,00000000,00000000), ref: 012DA53D

Memory Dump Source

Source File: 0000000B.00000002.720856282.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5bca62e8f14b1025eb9319948309a333ca62723c473fae62f61d11f2c9c8bd4b
Instruction ID: 719b0f913c6a7dc71e417e8184d7a2eec435af7c12e1ca056732e3385f8639f2
Opcode Fuzzy Hash: 5bca62e8f14b1025eb9319948309a333ca62723c473fae62f61d11f2c9c8bd4b
Instruction Fuzzy Hash: C4216D71409380AFEB228F659C54F96BFB8EF46310F0885DBE9849F153D264A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 012DA4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,47D63520,00000000,00000000,00000000,00000000), ref: 012DA53D

Memory Dump Source

Source File: 0000000B.00000002.720856282.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2f5dfe61aaea24110156d5e456f10392364957d08936d44e368776203aa98841
Instruction ID: 13f92355bb34048b8c669c90cce7de3b92c53345bc6e073c79c75dc81dd2daff
Opcode Fuzzy Hash: 2f5dfe61aaea24110156d5e456f10392364957d08936d44e368776203aa98841
Instruction Fuzzy Hash: 0811C471900300AFEB21CF59EC45F5AFBA8EF44320F04846AED459B156D374E404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 012DA1F4, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 012DA269

Memory Dump Source

Source File: 0000000B.00000002.720856282.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: e36d4837b5a1db1b509ca46e321c5ed4338d4dce4dee1f4a603088acada4a6ef
Instruction ID: 1fba4bd687a9894ec86a696dccd0291cfd0f3b9b9ef2064809b2b2fd127e7501
Opcode Fuzzy Hash: e36d4837b5a1db1b509ca46e321c5ed4338d4dce4dee1f4a603088acada4a6ef
Instruction Fuzzy Hash: 3D216A7544E7C05FD7138B659C94692BFB4EF47220F0E80DBD9848F1A3D269A909C762

Uniqueness

Uniqueness Score: -1.00%

Function 012DA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 012DA269

Memory Dump Source

Source File: 0000000B.00000002.720856282.00000000012DA000.00000040.00000001.sdmp, Offset: 012DA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 201ffca9f890b715d83e15186a6682e55fb68af023cd87fba357298019faffa1
Instruction ID: 4f72f1b951e78d9b2f1416d105f6b01890ff5b18e01b9888cc3dc4e1ffffb7d6
Opcode Fuzzy Hash: 201ffca9f890b715d83e15186a6682e55fb68af023cd87fba357298019faffa1
Instruction Fuzzy Hash: 54F0C2309143408FDB10CF1AD889B61FF90EF04620F08C0AADD094F646D3B9E548CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DC010F, Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

:@pq, xrefs: 02DC02C5

Memory Dump Source

Source File: 0000000B.00000002.721406468.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID: :@pq
API String ID: 0-3329585733
Opcode ID: 8b6e6c33a0bfe5be062caa11fb028994137fe56b1c32e82af6f5fcea1c08ef5e
Instruction ID: 766cc1d693f3a588da11ea5ea6e412ad79ad91952c2038b48cb8f99dcd004aa1
Opcode Fuzzy Hash: 8b6e6c33a0bfe5be062caa11fb028994137fe56b1c32e82af6f5fcea1c08ef5e
Instruction Fuzzy Hash: F8912C34B00252DFCB64DB68E55CB69BBF2FB88341F2480A9D40A9B395DF769D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DC0818, Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721406468.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3407713f88f3c2042a77ae6d6cb8f9fc9f6ed8266fd4839764ebb1bc5616150f
Instruction ID: 753e98d3ed62aaa0937a5e83b557fc4465838518820774b6739ae5137c35dc33
Opcode Fuzzy Hash: 3407713f88f3c2042a77ae6d6cb8f9fc9f6ed8266fd4839764ebb1bc5616150f
Instruction Fuzzy Hash: 55F15D30300642DFDB28DF68E598A2A77A7FBD4306B25855DC5868B349DB76EC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DC06E8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721406468.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0202016ad21a88d2b57199df0a5f3d9999e69f23b791a060ba7d281a2dca3e96
Instruction ID: 469092a803b51d9aa5d31c910ca2a46eae9244dd623f84f877dce036fa95ec4b
Opcode Fuzzy Hash: 0202016ad21a88d2b57199df0a5f3d9999e69f23b791a060ba7d281a2dca3e96
Instruction Fuzzy Hash: 4B311A307052128FD759AB38D01866D37E2AF8624AB2144B8D40ACF7A5DE76DC42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DC06F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721406468.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1908b971420d886e1e1d370980c5daf92423c0d3b56e34c4981f4c70a3a50039
Instruction ID: 5734c7fea8986527238258598f6c591d7bccc2a5bebfd8719213367f920cd742
Opcode Fuzzy Hash: 1908b971420d886e1e1d370980c5daf92423c0d3b56e34c4981f4c70a3a50039
Instruction Fuzzy Hash: 15210A30701212CFC759B778D018A2D36E7AF8524AB2144BCD50ACF7A5DE76DC42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DC0DD0, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721406468.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49830e7e469c01f10c3cbeb0020a460668e2065af4b7a9021e02d5413147ea1d
Instruction ID: dc3036cb6447ed8daa23a136cb81cc88bfee531cb6aeb28ca48009317cf1c5b1
Opcode Fuzzy Hash: 49830e7e469c01f10c3cbeb0020a460668e2065af4b7a9021e02d5413147ea1d
Instruction Fuzzy Hash: 9E21E730B04205DFC7559BBCD814AAE7BAAFF85310B208099D505DB394CE359D02CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DC00A0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721406468.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4bd47b0e191baec6a792874e6f7db095658c1abe2803e7864142c54ae6a6de
Instruction ID: 51a1e3baa99f83e4f3fc5f338936b2ecc818b69c9f9d11dd17ff6461e2746027
Opcode Fuzzy Hash: be4bd47b0e191baec6a792874e6f7db095658c1abe2803e7864142c54ae6a6de
Instruction Fuzzy Hash: 4E016D71D492869FCB11CFB898596DEBFF4AE4A214B1404AAC484EB212D2340955CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02DD05CF, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721449325.0000000002DD0000.00000040.00000040.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 263f1024e02b7cb1e2b5e99ce0345b8c6e3ddb341562afd746904bedc5868244
Instruction ID: 6aa6ed782fa7c7bcd708fc8c4b565c455a2d9f44c573982f12d88ca17ed11ab0
Opcode Fuzzy Hash: 263f1024e02b7cb1e2b5e99ce0345b8c6e3ddb341562afd746904bedc5868244
Instruction Fuzzy Hash: 9401D6765097806FD7128F16EC40862FFF8EF86620708C19FEC498B612D225A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02DC0EF7, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721406468.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e4ccae5b1a2dcf63466f889f0623ec6be3c10a18287bc6a6a5d67013bd58f6
Instruction ID: eaaa41d9536bf0ad92d26fc14961ee7e70d9fb9526ddccdb820f673f0519eaa0
Opcode Fuzzy Hash: 41e4ccae5b1a2dcf63466f889f0623ec6be3c10a18287bc6a6a5d67013bd58f6
Instruction Fuzzy Hash: DFF05E347182809FC351DB7CE4589AA3BE6DF8A225B2440EFD449C7762DA665C06CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02DD05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721449325.0000000002DD0000.00000040.00000040.sdmp, Offset: 02DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5527f42a921a96811b045cd203bd3cc441c4be0254e23f1bdbb67c6bc3211c1
Instruction ID: b1fd48df98398dadc1dc91585c87f586b8680dd384491ac03e9bcb351a308e7f
Opcode Fuzzy Hash: b5527f42a921a96811b045cd203bd3cc441c4be0254e23f1bdbb67c6bc3211c1
Instruction Fuzzy Hash: 57E092766006005BD650CF0AEC41456FBD8EB88630718C07FDC0D8B700E635F509CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 02DC00D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721406468.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1465fb2a0e491df00bd24a3495ca0c82026543f321f6ecfc3f3fb8869cf07f50
Instruction ID: 9f60d5bc1116be828fe7da0ec3c1ad3edce145601ff27ccde911a238c5d703f3
Opcode Fuzzy Hash: 1465fb2a0e491df00bd24a3495ca0c82026543f321f6ecfc3f3fb8869cf07f50
Instruction Fuzzy Hash: 15E09A71D0525E9F8F50DFB999455DEFFF8FA48255F20446AD508F3200E3315A118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC0F08, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721406468.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e0352dd06377dda3f60388d8fab53b6a4e357d6900d9191ce6a2c2667acc4d
Instruction ID: a04520164c39ddf2ac1d6bc3fb59bbbe3ce8abdf14e9a6e1f2cf192608a687de
Opcode Fuzzy Hash: 50e0352dd06377dda3f60388d8fab53b6a4e357d6900d9191ce6a2c2667acc4d
Instruction Fuzzy Hash: 96E01A35710114DFC364EB6CE548E9A33EBEB89225B2050AAE809D7724DE76AC05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC03C5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.721406468.0000000002DC0000.00000040.00000001.sdmp, Offset: 02DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d6e13e7103b5dbc1c03c8846de81436276782fff5cbff7ee0433bb7aaaf9d5
Instruction ID: 930e3eacafabba8cd1d3a3963bcb6ea58632a96bb9fdcb7e9d3579afbad15210
Opcode Fuzzy Hash: 01d6e13e7103b5dbc1c03c8846de81436276782fff5cbff7ee0433bb7aaaf9d5
Instruction Fuzzy Hash: 95F01C30A40256CFEF24ABA8D15C7AC7AF0AB48316F200459C442AB3A0DB788C84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 012D23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.720843837.00000000012D2000.00000040.00000001.sdmp, Offset: 012D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de360b3cea47cb1bb44c1783b9c652927cc15b2d256ba52de058854ec0ad74a
Instruction ID: bb4c0182d099e46c3497124c8205bbb4718533efe26867fec93c65e47c734fe1
Opcode Fuzzy Hash: 9de360b3cea47cb1bb44c1783b9c652927cc15b2d256ba52de058854ec0ad74a
Instruction Fuzzy Hash: 1DD05E79215AA28FE3278A1CC1A8B953FE4EB51B04F4644F9ED008B667C369D681D200

Uniqueness

Uniqueness Score: -1.00%

Function 012D23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.720843837.00000000012D2000.00000040.00000001.sdmp, Offset: 012D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c821bfa3ef0c0dcd7a44257a8727233ce534a48a18dd478594dcc1ccbbd4f357
Instruction ID: fcadf8de33f0b3ae3a66c8feb27d98a0abafe039ad818e820899fcd0f4403968
Opcode Fuzzy Hash: c821bfa3ef0c0dcd7a44257a8727233ce534a48a18dd478594dcc1ccbbd4f357
Instruction Fuzzy Hash: B6D05E342102828BD715DB0CC194F593BD4AB81B00F0644E8BE008B266CBA4D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report receipt.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

CPU Usage