Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report payment invoice.exe

Overview

General Information

Sample Name:payment invoice.exe
Analysis ID:431785
MD5:845d5dc8393bf7652f744e7fa7dfb3c3
SHA1:f83096a377039cfdbcfb930a98fd1b78691c4456
SHA256:3aa4556bd929b55c5a51ea8cd76865fd4e27b880ec483aa8a94582071cdef24d
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • payment invoice.exe (PID: 6660 cmdline: 'C:\Users\user\Desktop\payment invoice.exe' MD5: 845D5DC8393BF7652F744E7FA7DFB3C3)
    • schtasks.exe (PID: 6332 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • payment invoice.exe (PID: 6568 cmdline: {path} MD5: 845D5DC8393BF7652F744E7FA7DFB3C3)
      • schtasks.exe (PID: 408 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD79F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • payment invoice.exe (PID: 976 cmdline: 'C:\Users\user\Desktop\payment invoice.exe' 0 MD5: 845D5DC8393BF7652F744E7FA7DFB3C3)
    • schtasks.exe (PID: 1688 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmp70E1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "64d6914b-2a13-4387-9ead-01228df9", "Group": "Default", "Domain1": "ifybest85fff.ddns.net", "Domain2": "194.5.98.23", "Port": 7600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 78 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.payment invoice.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        11.2.payment invoice.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        11.2.payment invoice.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          11.2.payment invoice.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q
          11.2.payment invoice.exe.6f10000.23.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x16e3:$x1: NanoCore.ClientPluginHost
          • 0x171c:$x2: IClientNetworkHost
          Click to see the 155 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\payment invoice.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\payment invoice.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\payment invoice.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\payment invoice.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "64d6914b-2a13-4387-9ead-01228df9", "Group": "Default", "Domain1": "ifybest85fff.ddns.net", "Domain2": "194.5.98.23", "Port": 7600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: ifybest85fff.ddns.netVirustotal: Detection: 6%Perma Link
          Source: ifybest85fff.ddns.netVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\GotewYBrdNy.exeReversingLabs: Detection: 29%
          Multi AV Scanner detection for submitted fileShow sources
          Source: payment invoice.exeVirustotal: Detection: 44%Perma Link
          Source: payment invoice.exeReversingLabs: Detection: 29%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORY
          Source: Yara matchFile source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\GotewYBrdNy.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: payment invoice.exeJoe Sandbox ML: detected
          Source: 11.0.payment invoice.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.2.payment invoice.exe.3ac95f8.6.unpackAvira: Label: TR/NanoCore.fadte
          Source: 25.0.payment invoice.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.2.payment invoice.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 25.2.payment invoice.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.0.payment invoice.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 25.0.payment invoice.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.2.payment invoice.exe.5470000.17.unpackAvira: Label: TR/NanoCore.fadte
          Source: payment invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: payment invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: (P$p,C:\Windows\System.pdb source: payment invoice.exe, 0000000B.00000002.649382803.00000000069EC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]11_2_0626B860

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: ifybest85fff.ddns.net
          Source: Malware configuration extractorURLs: 194.5.98.23
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: ifybest85fff.ddns.net
          Source: global trafficTCP traffic: 192.168.2.6:49741 -> 194.5.98.23:7600
          Source: Joe Sandbox ViewIP Address: 194.5.98.23 194.5.98.23
          Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
          Source: unknownDNS traffic detected: queries for: ifybest85fff.ddns.net
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: payment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: payment invoice.exe, 00000000.00000002.467752646.0000000001977000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comahY
          Source: payment invoice.exe, 00000000.00000002.467752646.0000000001977000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comic
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: payment invoice.exe, 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORY
          Source: Yara matchFile source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.649963116.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.650188515.0000000006F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650157575.0000000006F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.648469077.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.646977313.0000000003C89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650009265.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.650292848.0000000006F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650225160.0000000006F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650482817.0000000006F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.650261294.0000000006F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650324913.0000000006F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.647259512.0000000003E25000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650370900.0000000006F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6f10000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f70000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e817b7.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f90000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6c50000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e98a16.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3c9a7cd.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6fe0000.34.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3c8e599.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6f90000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6fa4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f60000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6c50000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f30000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f60000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f40000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6fae8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e14ca6.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6fe0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.2ab4e0c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f50000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f50000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f20000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6f20000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6c40000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f30000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.2af1c64.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.2ae5a1c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6fa0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.5280000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3c8e599.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3c8e599.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 25.2.payment invoice.exe.2b095f4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3caedfa.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3caedfa.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6f70000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.2af1c64.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6fa0000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.3e14ca6.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e98a16.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e817b7.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e817b7.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e8a5e6.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e8a5e6.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6c40000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.2b062a0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.2ae5a1c.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.3c9a7cd.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3c9a7cd.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: payment invoice.exe
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 0_2_0586C5CC0_2_0586C5CC
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 0_2_0586E56B0_2_0586E56B
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 0_2_0586E5700_2_0586E570
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06FF3F4811_2_06FF3F48
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06FF333011_2_06FF3330
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06FE42EB11_2_06FE42EB
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06FE46D311_2_06FE46D3
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06FE332411_2_06FE3324
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0291E48011_2_0291E480
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0291E47311_2_0291E473
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0291BBD411_2_0291BBD4
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0626960811_2_06269608
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_062689F011_2_062689F0
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_062696C611_2_062696C6
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0626994011_2_06269940
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_028AC5CC16_2_028AC5CC
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_028AE56216_2_028AE562
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_028AE57016_2_028AE570
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553F91016_2_0553F910
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553EAF816_2_0553EAF8
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553751816_2_05537518
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553752816_2_05537528
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553371016_2_05533710
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553372016_2_05533720
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05536EB816_2_05536EB8
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05536EA716_2_05536EA7
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553B1A016_2_0553B1A0
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05536B7016_2_05536B70
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05536B6916_2_05536B69
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_08491E1816_2_08491E18
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 25_2_00F9E48025_2_00F9E480
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 25_2_00F9E47125_2_00F9E471
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 25_2_00F9BBD425_2_00F9BBD4
          Source: payment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs payment invoice.exe
          Source: payment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs payment invoice.exe
          Source: payment invoice.exe, 00000000.00000002.466020857.0000000000FC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEUZihe.exeR vs payment invoice.exe
          Source: payment invoice.exe, 00000000.00000002.481878309.000000000EF40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs payment invoice.exe
          Source: payment invoice.exeBinary or memory string: OriginalFilename vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.648831283.0000000005F10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.640978089.00000000006C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEUZihe.exeR vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.650727872.0000000007120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000000.473925014.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEUZihe.exeR vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000002.576337167.000000000E0B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000002.576337167.000000000E0B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000002.575920545.000000000DFC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000000.565896101.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEUZihe.exeR vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000002.583975546.0000000000D98000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000002.586964569.0000000004FB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs payment invoice.exe
          Source: payment invoice.exeBinary or memory string: OriginalFilenameEUZihe.exeR vs payment invoice.exe
          Source: payment invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.649963116.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.649963116.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.650188515.0000000006F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650188515.0000000006F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650157575.0000000006F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650157575.0000000006F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.648469077.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.648469077.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.646977313.0000000003C89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650009265.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650009265.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.650292848.0000000006F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650292848.0000000006F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650225160.0000000006F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650225160.0000000006F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650482817.0000000006F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650482817.0000000006F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.650261294.0000000006F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650261294.0000000006F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650324913.0000000006F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650324913.0000000006F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.647259512.0000000003E25000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650370900.0000000006F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650370900.0000000006F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6f10000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f10000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f70000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f70000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e817b7.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e817b7.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f90000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f90000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6c50000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6c50000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e98a16.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e98a16.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3c9a7cd.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3c9a7cd.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6fe0000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fe0000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3c8e599.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3c8e599.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6f90000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f90000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6fa4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fa4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f60000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f60000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6c50000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6c50000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f30000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f30000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f60000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f60000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f40000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f40000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6fae8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fae8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e14ca6.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e14ca6.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6fe0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fe0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.2ab4e0c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.2ab4e0c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f50000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f50000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f50000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f50000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f20000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f20000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6f20000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f20000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6c40000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6c40000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f30000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f30000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.2af1c64.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.2af1c64.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.2ae5a1c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.2ae5a1c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6fa0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fa0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.5280000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.5280000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3c8e599.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3c8e599.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 25.2.payment invoice.exe.2b095f4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.2b095f4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3caedfa.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3caedfa.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6f70000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f70000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.2af1c64.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6fa0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fa0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.3e14ca6.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e14ca6.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e98a16.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e98a16.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e817b7.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e817b7.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e817b7.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e8a5e6.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e8a5e6.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e8a5e6.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e8a5e6.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6c40000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6c40000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.2b062a0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.2ae5a1c.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.3c9a7cd.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3c9a7cd.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: classification engineClassification label: mal100.troj.evad.winEXE@15/11@12/1
          Source: C:\Users\user\Desktop\payment invoice.exeFile created: C:\Users\user\AppData\Roaming\GotewYBrdNy.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
          Source: C:\Users\user\Desktop\payment invoice.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{64d6914b-2a13-4387-9ead-01228df90732}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
          Source: C:\Users\user\Desktop\payment invoice.exeMutant created: \Sessions\1\BaseNamedObjects\XXQFmKqbhRlUJSEysVNVGeSPP
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_01
          Source: C:\Users\user\Desktop\payment invoice.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC705.tmpJump to behavior
          Source: payment invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\payment invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: payment invoice.exeVirustotal: Detection: 44%
          Source: payment invoice.exeReversingLabs: Detection: 29%
          Source: C:\Users\user\Desktop\payment invoice.exeFile read: C:\Users\user\Desktop\payment invoice.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\payment invoice.exe 'C:\Users\user\Desktop\payment invoice.exe'
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD79F.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\payment invoice.exe 'C:\Users\user\Desktop\payment invoice.exe' 0
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmp70E1.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD79F.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmp70E1.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\payment invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: payment invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: payment invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: (P$p,C:\Windows\System.pdb source: payment invoice.exe, 0000000B.00000002.649382803.00000000069EC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 0_2_00EC7B89 push ebx; ret 0_2_00EC7B8E
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 0_2_0586E518 push eax; ret 0_2_0586E519
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_005C7B89 push ebx; ret 11_2_005C7B8E
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0626639C push edx; retf 11_2_0626639E
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0626BC08 pushad ; ret 11_2_0626BC09
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_005E7B89 push ebx; ret 16_2_005E7B8E
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_028AE518 push eax; ret 16_2_028AE519
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05534F41 push edx; ret 16_2_05534F42
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553398A push ecx; retf 16_2_0553398C
          Source: initial sampleStatic PE information: section name: .text entropy: 7.30117922021
          Source: initial sampleStatic PE information: section name: .text entropy: 7.30117922021
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\payment invoice.exeFile created: C:\Users\user\AppData\Roaming\GotewYBrdNy.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\payment invoice.exeFile opened: C:\Users\user\Desktop\payment invoice.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORY
          Source: Yara matchFile source: 0.2.payment invoice.exe.341d068.1.raw.unpack, type: UNPACKEDPE
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: payment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: payment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\payment invoice.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeWindow / User API: threadDelayed 4452Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeWindow / User API: threadDelayed 4827Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeWindow / User API: foregroundWindowGot 453Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeWindow / User API: foregroundWindowGot 428Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exe TID: 6692Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exe TID: 6764Thread sleep time: -15679732462653109s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exe TID: 7068Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exe TID: 6888Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: payment invoice.exe, 0000000B.00000002.650727872.0000000007120000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: payment invoice.exe, 0000000B.00000002.650727872.0000000007120000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: payment invoice.exe, 0000000B.00000002.650727872.0000000007120000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: payment invoice.exe, 0000000B.00000002.650727872.0000000007120000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\payment invoice.exeMemory written: C:\Users\user\Desktop\payment invoice.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD79F.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmp70E1.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}Jump to behavior
          Source: payment invoice.exe, 0000000B.00000002.644797305.0000000002D27000.00000004.00000001.sdmpBinary or memory string: Program ManagerH
          Source: payment invoice.exe, 0000000B.00000002.646489484.0000000002FF9000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: payment invoice.exe, 0000000B.00000002.651044502.0000000007A8B000.00000004.00000001.sdmpBinary or memory string: Program Manager$
          Source: payment invoice.exe, 0000000B.00000002.650962100.000000000758B000.00000004.00000001.sdmpBinary or memory string: Program Manager`_
          Source: payment invoice.exe, 0000000B.00000002.642570304.0000000001440000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: payment invoice.exe, 0000000B.00000002.642570304.0000000001440000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: payment invoice.exe, 0000000B.00000002.650989172.000000000780C000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
          Source: payment invoice.exe, 0000000B.00000002.648996309.000000000613B000.00000004.00000001.sdmpBinary or memory string: Program Manager H
          Source: payment invoice.exe, 0000000B.00000002.642570304.0000000001440000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: payment invoice.exe, 0000000B.00000002.642570304.0000000001440000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: payment invoice.exe, 0000000B.00000002.649878408.0000000006C2A000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager (
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Users\user\Desktop\payment invoice.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Users\user\Desktop\payment invoice.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Users\user\Desktop\payment invoice.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Users\user\Desktop\payment invoice.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORY
          Source: Yara matchFile source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: payment invoice.exe, 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: payment invoice.exeString found in binary or memory: NanoCore.ClientPluginHost
          Source: payment invoice.exe, 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Source: payment invoice.exe, 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: payment invoice.exe, 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: payment invoice.exe, 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORY
          Source: Yara matchFile source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Masquerading1Input Capture11Security Software Discovery221Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 431785 Sample: payment invoice.exe Startdate: 09/06/2021 Architecture: WINDOWS Score: 100 42 ifybest85fff.ddns.net 2->42 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 14 other signatures 2->54 9 payment invoice.exe 6 2->9         started        13 payment invoice.exe 4 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\...behaviorgraphotewYBrdNy.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\...\tmpC705.tmp, XML 9->38 dropped 40 C:\Users\user\...\payment invoice.exe.log, ASCII 9->40 dropped 56 Injects a PE file into a foreign processes 9->56 15 payment invoice.exe 12 9->15         started        20 schtasks.exe 1 9->20         started        22 schtasks.exe 1 13->22         started        24 payment invoice.exe 2 13->24         started        signatures6 process7 dnsIp8 44 ifybest85fff.ddns.net 194.5.98.23, 49741, 49748, 49749 DANILENKODE Netherlands 15->44 34 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 15->34 dropped 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->46 26 schtasks.exe 1 15->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file9 signatures10 process11 process12 32 conhost.exe 26->32         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          payment invoice.exe45%VirustotalBrowse
          payment invoice.exe30%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          payment invoice.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\GotewYBrdNy.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\GotewYBrdNy.exe30%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          11.0.payment invoice.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          11.2.payment invoice.exe.3ac95f8.6.unpack100%AviraTR/NanoCore.fadteDownload File
          25.0.payment invoice.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          11.2.payment invoice.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          25.2.payment invoice.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          11.0.payment invoice.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          25.0.payment invoice.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          11.2.payment invoice.exe.5470000.17.unpack100%AviraTR/NanoCore.fadteDownload File

          Domains

          SourceDetectionScannerLabelLink
          ifybest85fff.ddns.net7%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.comic0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.fontbureau.comahY0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          ifybest85fff.ddns.net7%VirustotalBrowse
          ifybest85fff.ddns.net0%Avira URL Cloudsafe
          194.5.98.230%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ifybest85fff.ddns.net
          		194.5.98.23
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          ifybest85fff.ddns.nettrue
          • 7%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          194.5.98.23true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.compayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bThepayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comicpayment invoice.exe, 00000000.00000002.467752646.0000000001977000.00000004.00000040.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers?payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                    		high
                    http://www.tiro.compayment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designerspayment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comahYpayment invoice.exe, 00000000.00000002.467752646.0000000001977000.00000004.00000040.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comlpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.compayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cThepayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.compayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleasepayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fonts.compayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                              		high
                              http://www.sandoll.co.krpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleasepayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepayment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sakkal.compayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                194.5.98.23
                                		ifybest85fff.ddns.netNetherlands
                                		208476DANILENKODEtrue

                                General Information

                                Joe Sandbox Version:32.0.0 Black Diamond
                                Analysis ID:431785
                                Start date:09.06.2021
                                Start time:10:15:49
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 11m 58s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:payment invoice.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:27
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@15/11@12/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 0.8% (good quality ratio 0.5%)
                                • Quality average: 44.6%
                                • Quality standard deviation: 37.2%
                                HCA Information:
                                • Successful, ratio: 94%
                                • Number of executed functions: 97
                                • Number of non-executed functions: 3
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 104.43.193.48, 204.79.197.200, 13.107.21.200, 52.147.198.201, 13.88.21.125, 20.82.210.154, 20.54.7.98, 20.54.26.129, 40.88.32.150, 20.50.102.62, 92.122.213.247, 92.122.213.194, 184.30.20.56
                                • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:17:51API Interceptor668x Sleep call for process: payment invoice.exe modified
                                10:17:52Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\payment invoice.exe" s>$(Arg0)

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                194.5.98.23Asif Professional CV.exeGet hashmaliciousBrowse
                                  Mwasiti Mnindy.exeGet hashmaliciousBrowse
                                    Mwasiti Mnindy.exeGet hashmaliciousBrowse
                                      INVs(2341).exeGet hashmaliciousBrowse
                                        Bank Payment Copy.exeGet hashmaliciousBrowse
                                          SWIFT COPY.exeGet hashmaliciousBrowse
                                            payment invoice.exeGet hashmaliciousBrowse
                                              Bank Payment Copy.exeGet hashmaliciousBrowse
                                                ORDER SHEET - SUMMER 2021.exeGet hashmaliciousBrowse
                                                  Specifications Drawing Sketch Details-img.exeGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    ifybest85fff.ddns.netAsif Professional CV.exeGet hashmaliciousBrowse
                                                    • 194.5.98.23

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    DANILENKODE#RFQ ORDER484475577797.exeGet hashmaliciousBrowse
                                                    • 194.5.98.120
                                                    b6yzWugw8V.exeGet hashmaliciousBrowse
                                                    • 194.5.98.107
                                                    0041#Receipt.pif.exeGet hashmaliciousBrowse
                                                    • 194.5.98.180
                                                    j07ghiByDq.exeGet hashmaliciousBrowse
                                                    • 194.5.97.146
                                                    j07ghiByDq.exeGet hashmaliciousBrowse
                                                    • 194.5.97.146
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 194.5.97.18
                                                    SecuriteInfo.com.Trojan.PackedNET.820.24493.exeGet hashmaliciousBrowse
                                                    • 194.5.97.61
                                                    DHL_file.exeGet hashmaliciousBrowse
                                                    • 194.5.98.145
                                                    BBS FX.xlsxGet hashmaliciousBrowse
                                                    • 194.5.97.61
                                                    GpnPv433gb.exeGet hashmaliciousBrowse
                                                    • 194.5.98.11
                                                    Kj7tTd1Zimp0ciI.exeGet hashmaliciousBrowse
                                                    • 194.5.97.197
                                                    Resume.exeGet hashmaliciousBrowse
                                                    • 194.5.98.8
                                                    SecuriteInfo.com.Trojan.DownLoader39.38629.28832.exeGet hashmaliciousBrowse
                                                    • 194.5.98.145
                                                    SecuriteInfo.com.Variant.Razy.840898.18291.exeGet hashmaliciousBrowse
                                                    • 194.5.98.144
                                                    8LtwhjD2Qm.exeGet hashmaliciousBrowse
                                                    • 194.5.98.107
                                                    Receiptn.exeGet hashmaliciousBrowse
                                                    • 194.5.98.180
                                                    soa5.exeGet hashmaliciousBrowse
                                                    • 194.5.98.48
                                                    soa5.exeGet hashmaliciousBrowse
                                                    • 194.5.98.48
                                                    68Aj4oxPok.exeGet hashmaliciousBrowse
                                                    • 194.5.98.144
                                                    Ysur2E8xPs.exeGet hashmaliciousBrowse
                                                    • 194.5.97.61

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment invoice.exe.log
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Temp\tmp70E1.tmp
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1656
                                                    Entropy (8bit):5.1594656034148185
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3NkOtn:cbha7JlNQV/rydbz9I3YODOLNdq3wo
                                                    MD5:237C2B764584CA136806AD1FBE17F761
                                                    SHA1:FE783B97447CF226C6FAA7F5AE7D972C2268A279
                                                    SHA-256:9496A59C37BA72FC44EE6217E7D289A1D022BC8ECDE5197E5B5185D8051F79B3
                                                    SHA-512:422B5D17D498781201CC0ADC36C3E0267900308DB09FF25D6B89E427D3ABBB52DB97A4A640BB7D68AEDF2014391D3FA12E2644D558952DABB51C77C09A383BAA
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                    C:\Users\user\AppData\Local\Temp\tmpC705.tmp
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1656
                                                    Entropy (8bit):5.1594656034148185
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3NkOtn:cbha7JlNQV/rydbz9I3YODOLNdq3wo
                                                    MD5:237C2B764584CA136806AD1FBE17F761
                                                    SHA1:FE783B97447CF226C6FAA7F5AE7D972C2268A279
                                                    SHA-256:9496A59C37BA72FC44EE6217E7D289A1D022BC8ECDE5197E5B5185D8051F79B3
                                                    SHA-512:422B5D17D498781201CC0ADC36C3E0267900308DB09FF25D6B89E427D3ABBB52DB97A4A640BB7D68AEDF2014391D3FA12E2644D558952DABB51C77C09A383BAA
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                    C:\Users\user\AppData\Local\Temp\tmpD79F.tmp
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1308
                                                    Entropy (8bit):5.082134358682254
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0V/nxtn:cbk4oL600QydbQxIYODOLedq38nj
                                                    MD5:2718925F05BD1061363FC1DB90858234
                                                    SHA1:0AB5DAFCED20DD659BF032004131A51397CD0886
                                                    SHA-256:606E95C64E26A82B23885ABD2C0A3619DB9BE593FBFFF8345FE47E09273CEB06
                                                    SHA-512:E95F45D6C3A24900856159ED3C59089766B1BC5E03AE226A272D725FB6D1FC69374074F5D4C94AB272A0C01CD121AA23FF096FF3CA281E14B3FA2D6BD290EE68
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):2088
                                                    Entropy (8bit):7.024371743172393
                                                    Encrypted:false
                                                    SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
                                                    MD5:0D6805D12813A857D50D42D6EE2CCAB0
                                                    SHA1:78D83F009D842F21FE2AB0EAFFD00E5AAD1776F4
                                                    SHA-256:182E0F8AA959549D61C66D049645BA8445D86AEAD2B8C3552A9836FA1E5BD484
                                                    SHA-512:5B29496F3AB3CCB915CF37042F4956BB00E577B5F15457A5A739BE1BD50C481FB7E3297EED575DCA7A7BD30ECBC140DD3666CD7DEDD25DFB7AEB41A1B5BEDA4A
                                                    Malicious:false
                                                    Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:Non-ISO extended-ASCII text, with no line terminators, with overstriking
                                                    Category:dropped
                                                    Size (bytes):8
                                                    Entropy (8bit):3.0
                                                    Encrypted:false
                                                    SSDEEP:3:MPh:MJ
                                                    MD5:D00FDE39F5DC7B4ABDA8A17EFE02ED47
                                                    SHA1:9314E390AED8DAF63A8F3507AA7F8D42959A4032
                                                    SHA-256:1A9FD6E8ECD5DB86FA9AAF2350A49592499D2C25CD0C770817FD87DB365E68B5
                                                    SHA-512:DEE193CCDEDA2CA8EABD12B8DEEB46FD5F261B7F46949FA34177E4EFF76CF5B133822B428AFDDBA296DEA1F4D37CB7AF20B09326F3FD138D5C821E9BAA85E71E
                                                    Malicious:true
                                                    Preview: 2...j+.H
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):24
                                                    Entropy (8bit):4.501629167387823
                                                    Encrypted:false
                                                    SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                                    MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                                    SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                                    SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                                    SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                                    Malicious:false
                                                    Preview: 9iH...}Z.4..f..J".C;"a
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):5.320159765557392
                                                    Encrypted:false
                                                    SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                                    MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                                    SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                                    SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                                    SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                                    Malicious:false
                                                    Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):327432
                                                    Entropy (8bit):7.99938831605763
                                                    Encrypted:true
                                                    SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                    MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                    SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                    SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                    SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                    Malicious:false
                                                    Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):45
                                                    Entropy (8bit):4.113206429278392
                                                    Encrypted:false
                                                    SSDEEP:3:oNN2+WVEcIqvdA:oNN2RucddA
                                                    MD5:4E8183AE084261C1AF222E0DCC1BE281
                                                    SHA1:8C8751A7FC261FDF903E0F1E47A7E9463855E12A
                                                    SHA-256:EAC634E1CBF5C9F39FA4450A987DC15936083172CF8937C6DB6870D45C103A67
                                                    SHA-512:76F424D13A6FC3CEB9A5ABFAE3F774C4D300D2E1321F6310E5DC363E0BF5C3BD8E4AEB086691DA393798993C026119C125F96435BBA86A71B88C67966CB717F0
                                                    Malicious:false
                                                    Preview: C:\Users\user\Desktop\payment invoice.exe
                                                    C:\Users\user\AppData\Roaming\GotewYBrdNy.exe
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1043456
                                                    Entropy (8bit):7.296264460943387
                                                    Encrypted:false
                                                    SSDEEP:12288:c1mk+vR1Hup6Z7Q/pDTXWILsbGRzcmtCN1/LFk6Hq0cpeTHKMgAbCZBvqpjExD07:Ox+vDOQZSz5UQRi
                                                    MD5:845D5DC8393BF7652F744E7FA7DFB3C3
                                                    SHA1:F83096A377039CFDBCFB930A98FD1B78691C4456
                                                    SHA-256:3AA4556BD929B55C5A51EA8CD76865FD4E27B880EC483AA8A94582071CDEF24D
                                                    SHA-512:E40303DC536090DA7B282A9A940765437C07ED3D497B0F81CDB92B9ABFC378D5EC54D96E946B69E368432B4FDE891A40681239056E3FC74FEA4568E4959D249C
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 30%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._!.`..............0.............n.... ... ....@.. .......................`............@.....................................S.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................P.......H........X..........c........s...........................................0..........*....0.."........r...p}......}.....(.......(.....*...0............{....(....r[..p(....:.... .0t. ....a%....^E............................M...a............... .......u.......8.....(...... /)..Z 1../a+....m...%.r]..p.%..{....(.....%.r...p.%..{....(.....%.r...p.%..{....(.....%.r...p.%..{....(.....%.r...p.%...{....(.....%..r...p.(.......(....... v`.UZ .^n.a8....r...p(....&.. aL..Z ..p.a8.....(....

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.296264460943387
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:payment invoice.exe
                                                    File size:1043456
                                                    MD5:845d5dc8393bf7652f744e7fa7dfb3c3
                                                    SHA1:f83096a377039cfdbcfb930a98fd1b78691c4456
                                                    SHA256:3aa4556bd929b55c5a51ea8cd76865fd4e27b880ec483aa8a94582071cdef24d
                                                    SHA512:e40303dc536090da7b282a9a940765437c07ed3d497b0f81cdb92b9abfc378d5ec54d96e946b69e368432b4fde891a40681239056e3fc74fea4568e4959d249c
                                                    SSDEEP:12288:c1mk+vR1Hup6Z7Q/pDTXWILsbGRzcmtCN1/LFk6Hq0cpeTHKMgAbCZBvqpjExD07:Ox+vDOQZSz5UQRi
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._!.`..............0.............n.... ... ....@.. .......................`............@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x50016e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x60C0215F [Wed Jun 9 02:03:11 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1001180x53.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1020000x5e0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1040000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xfe1740xfe200False0.613228410908data7.30117922021IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x1020000x5e00x600False0.430338541667data4.17543821636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1040000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x1020a00x354data
                                                    RT_MANIFEST0x1023f40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright 2019
                                                    Assembly Version1.0.0.0
                                                    InternalNameEUZihe.exe
                                                    FileVersion1.0.0.0
                                                    CompanyName
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameWindowsFormsApplication1
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionWindowsFormsApplication1
                                                    OriginalFilenameEUZihe.exe

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jun 9, 2021 10:17:53.281769037 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:53.441498995 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:53.443136930 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:53.501430035 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:53.739918947 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:53.740128040 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.095490932 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.099549055 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.255057096 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.302268982 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.552762032 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.552802086 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.553036928 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.593144894 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.739459991 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.739614964 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.739649057 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.739676952 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.739865065 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.739875078 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.739917040 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.740005016 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.913265944 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913299084 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913321018 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913502932 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913573980 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.913595915 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.913609028 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913697004 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913816929 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.913857937 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913974047 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.914071083 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.091828108 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.091983080 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.092293024 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.099782944 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.099807978 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.099873066 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.101357937 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.101469994 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.101546049 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.101627111 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.101845980 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.101850033 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.101874113 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.102092028 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.102150917 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.102214098 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.102363110 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.102513075 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.102577925 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.109646082 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.109761953 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.109954119 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.251574993 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.251640081 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.251697063 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.253293037 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.253334999 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.253530025 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.265572071 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.265599966 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.265729904 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.265749931 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.265846968 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.266408920 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.266484022 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.276849031 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.276891947 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.276913881 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277017117 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277043104 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.277062893 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.277084112 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277235985 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.277282953 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277363062 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277443886 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.277515888 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277642965 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277739048 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277923107 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.277936935 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277997017 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.278095961 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278254986 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278426886 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278465033 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278547049 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.278666973 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.278685093 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278820038 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278990030 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.279033899 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.287061930 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.287103891 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.287323952 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.290555954 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.290636063 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.297334909 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.302153111 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.302335024 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.420239925 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.420281887 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.420320034 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.420367002 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.420397043 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.420555115 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.420645952 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.420706987 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.420819998 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.430701017 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.450742960 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.450799942 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.451056957 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.451057911 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.451105118 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.451128960 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.451256990 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.451351881 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.451427937 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.451471090 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.451667070 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.451776028 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.451855898 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.451930046 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.452012062 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.472918034 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.472975969 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.473006010 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.473018885 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.473099947 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.473124027 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.475008965 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.475186110 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.475208998 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.475244045 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.475332022 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.475362062 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.475491047 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.475646019 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.475678921 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.475735903 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.475831032 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.475878000 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.476082087 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.476140022 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.476332903 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.476372004 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.476402998 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.476574898 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.480180979 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.480303049 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.486128092 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.490385056 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.490575075 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.495024920 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.504297972 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.506129980 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.506448030 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.511728048 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.512902975 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.516428947 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.521321058 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.525295973 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.525948048 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.530786037 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.531503916 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.536178112 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.540299892 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.540558100 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.544867992 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.549840927 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.552397013 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.554569960 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.559262037 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.559436083 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.564133883 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.586761951 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.586842060 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.587174892 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.587230921 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.587275028 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.587404013 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.590292931 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.590437889 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.593394995 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.595482111 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.599318981 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.621026993 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.621216059 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.621294022 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.621367931 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.621424913 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.621620893 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.623048067 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.623198032 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.623233080 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.623303890 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.626100063 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.626689911 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.630548954 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.630759954 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.635066032 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.638395071 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.640044928 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.640647888 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.645539045 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.646169901 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.649589062 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.653373003 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.654367924 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.654598951 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.658847094 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.659059048 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.663522005 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.664427042 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.669030905 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.669146061 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.673177958 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.674786091 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.677866936 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.678133965 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.683593988 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.683737993 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.688489914 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.691221952 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.693188906 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.696084023 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.697807074 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.698036909 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.702805996 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.703032970 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.707431078 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.707532883 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.712327003 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.712430954 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.717014074 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.717139959 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.721723080 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.722393036 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.728398085 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.729368925 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.731889009 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.731980085 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.735764027 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.736988068 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.741790056 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.743254900 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.746983051 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.747720957 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.751015902 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.751894951 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.755795956 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.759567022 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.763036966 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.763170958 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.767592907 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.767689943 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.775309086 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.775460005 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.779978991 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.780136108 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.784725904 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.784821033 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.789510012 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.789746046 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.794272900 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.794508934 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.799072027 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.799226999 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.803601980 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.803703070 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.808347940 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.808747053 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.813357115 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.813472986 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.818108082 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.819700003 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.823456049 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.827378988 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.827475071 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.827646017 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.832216978 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.834784031 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.837057114 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.837265015 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:00.262866974 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:00.430203915 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:00.430303097 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:00.850671053 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:01.129688978 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:01.130007982 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:01.285053015 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:01.285176039 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:01.667717934 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:01.667843103 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:01.940644026 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:01.940671921 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:01.940809965 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.133660078 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.133691072 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.133795023 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.133852959 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.134181023 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.134265900 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.155399084 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.291843891 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.291925907 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.291975975 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.292002916 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.292028904 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.292085886 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.293984890 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.294022083 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.294115067 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.294169903 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.294224024 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.294342995 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.294395924 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.294487953 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.294539928 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.457797050 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.457923889 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.457976103 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.458070040 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.458812952 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.458910942 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.458925962 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.459148884 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.459990978 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.460951090 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.461081028 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.461321115 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.461359978 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.461400986 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.461457014 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.462830067 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.462956905 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.463027000 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.463251114 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.463324070 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.464418888 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.472902060 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.473010063 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.473113060 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.614366055 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.614394903 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.614470959 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.615915060 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.616142988 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.616216898 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.617634058 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.628154993 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.628261089 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.636003971 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.636166096 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.636225939 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.636238098 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.636307955 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.636387110 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.636468887 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.636622906 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.636697054 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.636787891 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.636806965 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.636861086 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.636939049 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.637059927 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.637320042 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.640352011 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.640494108 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.640536070 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.640641928 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.644623995 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.644644022 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.644706964 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.644745111 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.644798994 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.644799948 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.644824982 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.644918919 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.644961119 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.645117998 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.645143032 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.645168066 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.645353079 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.645402908 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.645422935 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.645793915 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.650681019 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.650727987 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.655379057 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.659933090 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.660007954 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.664745092 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.780102015 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.780131102 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.780163050 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.780222893 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.780277967 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.780308962 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.780355930 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.780431986 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.780632973 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.780682087 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.780713081 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.781855106 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.781923056 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.787899971 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.787995100 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.788078070 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.788312912 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.788474083 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.788522005 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.794236898 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.803977013 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.804003954 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.804090023 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.804120064 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.804168940 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.804316044 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.804392099 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.804442883 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.804558039 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.804677010 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.804732084 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.804862976 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.804914951 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.804986000 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.805154085 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.805171967 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.805216074 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.805341959 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.805423021 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.805546045 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.805598974 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.809813976 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.809870005 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.814471006 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.819125891 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.820996046 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.823842049 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.830193043 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.830585957 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.834865093 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.839628935 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.839724064 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.845895052 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.850706100 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.850795031 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.855386972 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.860091925 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.860194921 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.862298965 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.865756989 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.865835905 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.870584011 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.875291109 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.875686884 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.880073071 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.884804010 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.884910107 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.889458895 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.894212961 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.894287109 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.898967028 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.903573036 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.903747082 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.908778906 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.913017035 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.913202047 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.946290970 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.946398973 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.946468115 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.946492910 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.949938059 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.949958086 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.950016022 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.950124979 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.950165033 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.950241089 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.950721979 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.951314926 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.955511093 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.960205078 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.960274935 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.964797020 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.969595909 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.969867945 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.974278927 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.988730907 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.988784075 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.988869905 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.988899946 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.988955975 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:02.993118048 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.997828960 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:02.997910976 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.002599955 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.007241011 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.007344007 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.011914968 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.016763926 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.016855001 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.021369934 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.026129007 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.026325941 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.030859947 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.035482883 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.035547972 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.040458918 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.045089960 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.045157909 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.050582886 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.055270910 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.055345058 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.060112000 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.064748049 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.064821005 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.069555998 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.074220896 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.074280977 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.078880072 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.083596945 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.083659887 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.088335037 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.093168020 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.093288898 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.097937107 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.100243092 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.100306988 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.128489971 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.128535986 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.128559113 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.128581047 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.128596067 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.128632069 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.128717899 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.132155895 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.132225990 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.136854887 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.141577959 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.141649008 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.146667957 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.151315928 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.151407003 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.156125069 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.160624981 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.161082029 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.161396980 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.165783882 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.165868044 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.170447111 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.170516968 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.175154924 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.175223112 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.179929972 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.180032969 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.184645891 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.184761047 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.189291954 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.189352989 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.194129944 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.194227934 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.198862076 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.198950052 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.203819990 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.203906059 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.208189964 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.208264112 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.212868929 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.212970972 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.217649937 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.218539000 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.222430944 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.222502947 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.227267027 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.227360010 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.231735945 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.231806993 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.236483097 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.236576080 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.241286993 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.241355896 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.245903969 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.246023893 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.253494978 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.253602028 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.258517981 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.258589029 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.263271093 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.263339996 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.267925024 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.268023968 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.272694111 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.272813082 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.277312994 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.277389050 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.282078981 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.282143116 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.286761045 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.286840916 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.291518927 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.292757988 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.296190977 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.296258926 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.300839901 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.300903082 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.305658102 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.305754900 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.310374022 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.310487986 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.315001965 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.315082073 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.320215940 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.320277929 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.324848890 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.324927092 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.329581022 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.329660892 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.334285021 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.335098028 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.339180946 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.339246035 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.343847990 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.349086046 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.352925062 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.353053093 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.353168964 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.353338957 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.357928038 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.358011007 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.362673044 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.362735987 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.367465973 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.367535114 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.372241974 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.372771025 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.377036095 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.377146006 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.381839991 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.381918907 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.386321068 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.389074087 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.394304991 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.395955086 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.398586035 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.398637056 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:03.402183056 CEST760049748194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:03.402271032 CEST497487600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:07.337871075 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:07.493930101 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:07.494046926 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:07.494642973 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:07.751146078 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:07.765620947 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:07.924205065 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:07.945048094 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.196254969 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.196392059 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.198024035 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.198163033 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.355007887 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.355060101 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.355211973 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.355279922 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.356723070 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.358202934 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.515527964 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.517362118 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.517488003 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.517726898 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.517919064 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.517976046 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.519067049 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.519330025 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.519434929 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.519547939 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.519597054 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.522023916 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.678117037 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.678185940 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.678412914 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.678601980 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.678632975 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.678775072 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.679944038 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.680035114 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.680205107 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.680270910 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.680372953 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.680589914 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.680620909 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.683765888 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.683881998 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.684617996 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.692650080 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.692677975 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.692765951 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.692792892 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.692861080 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.692893982 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.692924976 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.694174051 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.837243080 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.837413073 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.837575912 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.838958025 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.839076996 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.839261055 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.839279890 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.839284897 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.839445114 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.839571953 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.840910912 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.841166973 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.841236115 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.841331959 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.842396975 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.851248026 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.851288080 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.851428032 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.851486921 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.851573944 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.851597071 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.851686001 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.851746082 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.851865053 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.851979017 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.852030039 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.852050066 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.852093935 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.852262020 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.852349043 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.852366924 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.852494001 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.852565050 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.853219032 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.853317022 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.853343964 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.861630917 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.861660957 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.861958981 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.863917112 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.864135981 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.864373922 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.869100094 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.873759985 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.873950958 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.878413916 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.883164883 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.883495092 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:08.887856960 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:08.936830997 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.005553961 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.005606890 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.005696058 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.005832911 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.010494947 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.010885954 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.027827978 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.027889967 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.028038979 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.028081894 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.028127909 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.028173923 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.028187990 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.028331995 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.028389931 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.028456926 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.028527975 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.028600931 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.028717995 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.028827906 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.028987885 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.029021978 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.029145002 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.029294014 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.029335022 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.029432058 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.029474020 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.029612064 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.029812098 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.029849052 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.029870987 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.030076027 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.030118942 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.030184031 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.030222893 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.030289888 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.030366898 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.030450106 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.030633926 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.034262896 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.038633108 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.039149046 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.043292999 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.047961950 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.048147917 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.052721024 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.057384968 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.057631969 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.062125921 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.066823959 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.066992044 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.071774006 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.076121092 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.076272011 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.081012964 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.085572958 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.085809946 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.088067055 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.091198921 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.091413975 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.096092939 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.100658894 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.100892067 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.105671883 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.110109091 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.110344887 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.114861012 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.119638920 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.119827032 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.124289036 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.129002094 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.129187107 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.133630037 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.138349056 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.138617992 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.143450975 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.169934034 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.169986963 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.170033932 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.170113087 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.170172930 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.170203924 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.187207937 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.187998056 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.190690994 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.190777063 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.190871954 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.190888882 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.190979958 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.191046000 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.191149950 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.191211939 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.201175928 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.201215982 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.201325893 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.201486111 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.204931021 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.205075026 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.209676027 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.209841967 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.214488983 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.215001106 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.219084978 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.219250917 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.223877907 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.224109888 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.228458881 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.228640079 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.233155012 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.233371973 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.237947941 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.238202095 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.242620945 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.243205070 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.247411013 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.247944117 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.252175093 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.252373934 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.257045031 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.257345915 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.261548996 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.261620045 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.266236067 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.266338110 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.270970106 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.271039009 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.275791883 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.275930882 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.280477047 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.280734062 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.285232067 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.285317898 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.289922953 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.290031910 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.294703007 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.294848919 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.299384117 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.299799919 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.304199934 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.304335117 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.308849096 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.308933973 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.313680887 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.313873053 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.318214893 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.318392992 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.322993994 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.323151112 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.325206041 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.325401068 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.330991030 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.331535101 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.335890055 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.336095095 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.340593100 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.341310978 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.345287085 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.345644951 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.350274086 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.352407932 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.354756117 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.354967117 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.359596968 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.359822035 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.364214897 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.364420891 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.368882895 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.369139910 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.373605967 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.373802900 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.378283024 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.378490925 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.382994890 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.384555101 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.387908936 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.388145924 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.392771006 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.392991066 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.397279024 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.397885084 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.402057886 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.402290106 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.406790972 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.411406040 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.411730051 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.416131973 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.420881033 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.421049118 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.425532103 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.430358887 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.431143999 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.437402964 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.441210032 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.441414118 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.446415901 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.451986074 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.452195883 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.453953981 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.460179090 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.460352898 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.463572979 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.468157053 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.468363047 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.473037958 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.477569103 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.477751970 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.482276917 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.487257957 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.488500118 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.491709948 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.496427059 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.497183084 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.502619028 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.506220102 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.506674051 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.510488987 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.515243053 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.515974998 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.520457983 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.524648905 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.525038958 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.529344082 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.535419941 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.535732985 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.539948940 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.544754028 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.544995070 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.550339937 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.554481030 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.554718971 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.557821989 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.563409090 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.564493895 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.567224026 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.571945906 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.572782040 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.576644897 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.581548929 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.582027912 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.586143017 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.590969086 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.591876030 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.595505953 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.600429058 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.600605965 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.604944944 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.609654903 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.609864950 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.614346981 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.619147062 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.619393110 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.623874903 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.628474951 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.628633976 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.633174896 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.637907028 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.638056993 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.642668962 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.647360086 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.647684097 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.652061939 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.656749010 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.659137011 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.661413908 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.666224003 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.666416883 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.670993090 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.675602913 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.675721884 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.680303097 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.685010910 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.685226917 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.689799070 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.694500923 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.694817066 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.699168921 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.703854084 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.704092026 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.708544970 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.713265896 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.713489056 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.718132019 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.722919941 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.723150969 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.727801085 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.732336044 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.734440088 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.736952066 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.741724014 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.742233992 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.746433020 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.751188993 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.751462936 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.755994081 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.760618925 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.760963917 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.765338898 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.769912958 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.770133018 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.774650097 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.779488087 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.779619932 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.784112930 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.788779974 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.788988113 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.793694019 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.798281908 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.798482895 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.800524950 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.806983948 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.807131052 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.811948061 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.816668034 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.816797972 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.821321964 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.826040983 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.826227903 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.830667973 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.835478067 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.835576057 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.840253115 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.845279932 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.845469952 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.849975109 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.854696989 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.854825020 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.859411001 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.864073038 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.864500999 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.868818998 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.873497009 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.873817921 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.878258944 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.882910967 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.883184910 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.887582064 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.892293930 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.892518044 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.897011995 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.901779890 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.902059078 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:09.906594038 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.908816099 CEST760049749194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:09.909024000 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:10.188009024 CEST497497600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:14.402847052 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:14.565231085 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:14.565584898 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:14.574872971 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:14.834391117 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:14.835181952 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:15.000843048 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:15.002340078 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:15.345495939 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:15.348186016 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:15.514799118 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:15.537396908 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:15.913340092 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:15.913451910 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:16.073820114 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:16.112371922 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:16.268951893 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:16.269058943 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:16.646142960 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:16.646246910 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:16.998320103 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:16.998555899 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:17.210254908 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:17.359211922 CEST760049751194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:17.361344099 CEST497517600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:21.337693930 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:21.502032042 CEST760049754194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:21.502863884 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:21.504394054 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:21.789637089 CEST760049754194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:21.806679010 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:21.970480919 CEST760049754194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:21.973381996 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:22.265125990 CEST760049754194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:22.265316010 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:22.423356056 CEST760049754194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:22.423557043 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:22.773611069 CEST760049754194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:22.773878098 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:22.931567907 CEST760049754194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:22.985018015 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:23.140304089 CEST760049754194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:23.188111067 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:23.189234018 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:23.553018093 CEST760049754194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:24.189467907 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:24.240659952 CEST760049754194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:24.240951061 CEST497547600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:28.575592041 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:28.745846033 CEST760049756194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:28.747499943 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:28.786603928 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:29.040997982 CEST760049756194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:29.058499098 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:29.238862991 CEST760049756194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:29.245413065 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:29.535892963 CEST760049756194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:29.537672043 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:29.713681936 CEST760049756194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:29.715491056 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:30.087110996 CEST760049756194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:30.089523077 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:30.261948109 CEST760049756194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:30.305098057 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:30.496705055 CEST760049756194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:30.545021057 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:30.547893047 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:30.918873072 CEST760049756194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:31.334604979 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:31.344801903 CEST497567600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:35.682502985 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:36.536943913 CEST760049758194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:36.537132025 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:36.537856102 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:37.031686068 CEST760049758194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:37.032280922 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:37.216342926 CEST760049758194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:37.217525959 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:37.561067104 CEST760049758194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:37.561218023 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:37.850219965 CEST760049758194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:37.850485086 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:38.303997993 CEST760049758194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:38.304153919 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:38.796840906 CEST760049758194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:38.844331980 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:39.268177032 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:39.304932117 CEST760049758194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:39.305011034 CEST497587600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:43.473776102 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:43.801059961 CEST760049759194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:43.803191900 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:43.838798046 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:44.150518894 CEST760049759194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:44.151137114 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:44.547555923 CEST760049759194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:44.547727108 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:44.972006083 CEST760049759194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:44.972167015 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:45.514053106 CEST760049759194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:45.563677073 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:45.666383028 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:45.895450115 CEST760049759194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:45.938972950 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:46.059814930 CEST760049759194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:46.059894085 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:46.408457994 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:46.442769051 CEST760049759194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:46.444024086 CEST497597600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:50.506695986 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:50.705849886 CEST760049760194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:50.706099033 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:50.830080032 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:51.142512083 CEST760049760194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:51.145504951 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:51.401036978 CEST760049760194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:51.402977943 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:51.732896090 CEST760049760194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:51.732978106 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:51.936933041 CEST760049760194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:51.937063932 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:52.325294971 CEST760049760194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:52.325416088 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:52.539587021 CEST760049760194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:52.539699078 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:52.718488932 CEST760049760194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:52.767396927 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:53.456540108 CEST497607600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:57.693588972 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:57.900825024 CEST760049761194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:57.900978088 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:57.919644117 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:58.270663977 CEST760049761194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:58.271122932 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:58.484328985 CEST760049761194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:58.484623909 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:58.910828114 CEST760049761194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:58.910945892 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:59.234168053 CEST760049761194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:59.277978897 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:59.487811089 CEST760049761194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:59.487943888 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:18:59.887291908 CEST760049761194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:18:59.887451887 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:00.091487885 CEST760049761194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:00.143024921 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:00.352065086 CEST760049761194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:00.393187046 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:00.495460033 CEST497617600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:04.790530920 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:04.987757921 CEST760049762194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:04.987879038 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:04.988403082 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:05.278948069 CEST760049762194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:05.279225111 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:05.465354919 CEST760049762194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:05.470882893 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:05.805862904 CEST760049762194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:05.806080103 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:05.994451046 CEST760049762194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:05.995429993 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:06.358640909 CEST760049762194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:06.362519979 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:06.557463884 CEST760049762194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:06.559565067 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:06.736478090 CEST760049762194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:06.784229994 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:07.505964994 CEST497627600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:11.565531015 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:11.720729113 CEST760049763194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:11.720843077 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:11.721304893 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:12.051204920 CEST760049763194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:12.051520109 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:12.206367970 CEST760049763194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:12.207010984 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:12.529697895 CEST760049763194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:12.530293941 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:12.697676897 CEST760049763194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:12.699636936 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:12.860502005 CEST760049763194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:12.862082005 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:13.023726940 CEST760049763194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:13.066070080 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:13.231223106 CEST760049763194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:13.284761906 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:16.879476070 CEST760049763194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:16.925662994 CEST497637600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:19:17.410129070 CEST760049763194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:19:17.410248995 CEST497637600192.168.2.6194.5.98.23

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jun 9, 2021 10:16:43.424427032 CEST53637918.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:43.455324888 CEST53642678.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:44.901736021 CEST4944853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:16:44.946643114 CEST53494488.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:45.965004921 CEST6034253192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:16:46.007139921 CEST53603428.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:48.410188913 CEST6134653192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:16:48.452910900 CEST53613468.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:54.163933039 CEST5177453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:16:54.206262112 CEST53517748.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:59.855874062 CEST5602353192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:16:59.898199081 CEST53560238.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:02.294332981 CEST5838453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:02.337049961 CEST53583848.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:03.507908106 CEST6026153192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:03.552990913 CEST53602618.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:05.131751060 CEST5606153192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:05.174221039 CEST53560618.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:07.268014908 CEST5833653192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:07.310198069 CEST53583368.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:08.407583952 CEST5378153192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:08.452543974 CEST53537818.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:09.311162949 CEST5406453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:09.355267048 CEST53540648.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:10.783947945 CEST5281153192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:10.827783108 CEST53528118.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:12.296200037 CEST5529953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:12.338763952 CEST53552998.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:14.190140963 CEST6374553192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:14.232836962 CEST53637458.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:15.688725948 CEST5005553192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:15.731726885 CEST53500558.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:15.815660954 CEST6137453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:15.869218111 CEST53613748.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:16.699527025 CEST5033953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:16.742196083 CEST53503398.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:35.445327997 CEST6330753192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:35.559591055 CEST53633078.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:36.117239952 CEST4969453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:36.266861916 CEST53496948.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:36.282944918 CEST5498253192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:36.333930016 CEST53549828.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:36.846147060 CEST5001053192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:36.889211893 CEST53500108.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:37.452454090 CEST6371853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:37.725053072 CEST53637188.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:38.016887903 CEST6211653192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:38.059755087 CEST53621168.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:38.522145033 CEST6381653192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:38.564718008 CEST53638168.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:39.634669065 CEST5501453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:39.826172113 CEST53550148.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:41.453665018 CEST6220853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:41.732521057 CEST53622088.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:42.632949114 CEST5757453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:42.676455021 CEST53575748.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:43.518721104 CEST5181853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:43.642427921 CEST53518188.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:44.111557961 CEST5662853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:44.154566050 CEST53566288.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:51.666461945 CEST6077853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:51.725141048 CEST53607788.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:53.225133896 CEST5379953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:53.269629002 CEST53537998.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:53.933953047 CEST5468353192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:53.991584063 CEST53546838.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:56.619098902 CEST5932953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:56.663336039 CEST53593298.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:00.217374086 CEST6402153192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:00.261193037 CEST53640218.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:07.291168928 CEST5612953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:07.336222887 CEST53561298.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:14.232737064 CEST5817753192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:14.277889967 CEST53581778.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:16.122040033 CEST5070053192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:16.167784929 CEST53507008.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:21.288279057 CEST5406953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:21.331211090 CEST53540698.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:27.958290100 CEST6117853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:28.017019987 CEST53611788.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:28.492014885 CEST5701753192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:28.538165092 CEST53570178.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:30.202621937 CEST5632753192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:30.256763935 CEST53563278.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:35.611330986 CEST5024353192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:35.654213905 CEST53502438.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:43.429347038 CEST6205553192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:43.472330093 CEST53620558.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:50.458369017 CEST6124953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:50.504792929 CEST53612498.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:57.546703100 CEST6525253192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:57.590898037 CEST53652528.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:19:04.653218031 CEST6436753192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:19:04.696090937 CEST53643678.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:19:11.520154953 CEST5506653192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:19:11.564773083 CEST53550668.8.8.8192.168.2.6

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Jun 9, 2021 10:17:53.225133896 CEST192.168.2.68.8.8.80x288eStandard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:00.217374086 CEST192.168.2.68.8.8.80xcc42Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:07.291168928 CEST192.168.2.68.8.8.80x7aeStandard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:14.232737064 CEST192.168.2.68.8.8.80x4293Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:21.288279057 CEST192.168.2.68.8.8.80x1198Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:28.492014885 CEST192.168.2.68.8.8.80x5b7eStandard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:35.611330986 CEST192.168.2.68.8.8.80x68f5Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:43.429347038 CEST192.168.2.68.8.8.80x5ad6Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:50.458369017 CEST192.168.2.68.8.8.80x33dbStandard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:57.546703100 CEST192.168.2.68.8.8.80xebf2Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:19:04.653218031 CEST192.168.2.68.8.8.80xb789Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:19:11.520154953 CEST192.168.2.68.8.8.80xc67eStandard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Jun 9, 2021 10:17:53.269629002 CEST8.8.8.8192.168.2.60x288eNo error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:00.261193037 CEST8.8.8.8192.168.2.60xcc42No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:07.336222887 CEST8.8.8.8192.168.2.60x7aeNo error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:14.277889967 CEST8.8.8.8192.168.2.60x4293No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:21.331211090 CEST8.8.8.8192.168.2.60x1198No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:28.538165092 CEST8.8.8.8192.168.2.60x5b7eNo error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:35.654213905 CEST8.8.8.8192.168.2.60x68f5No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:43.472330093 CEST8.8.8.8192.168.2.60x5ad6No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:50.504792929 CEST8.8.8.8192.168.2.60x33dbNo error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:57.590898037 CEST8.8.8.8192.168.2.60xebf2No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:19:04.696090937 CEST8.8.8.8192.168.2.60xb789No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:19:11.564773083 CEST8.8.8.8192.168.2.60xc67eNo error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)

                                                    Code Manipulations

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: payment invoice.exe PID: 6660 Parent PID: 5984

                                                    General

                                                    Start time:10:17:04
                                                    Start date:09/06/2021
                                                    Path:C:\Users\user\Desktop\payment invoice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\payment invoice.exe'
                                                    Imagebase:0xec0000
                                                    File size:1043456 bytes
                                                    MD5 hash:845D5DC8393BF7652F744E7FA7DFB3C3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 6332 Parent PID: 6660

                                                    General

                                                    Start time:10:17:47
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp'
                                                    Imagebase:0xed0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 6320 Parent PID: 6332

                                                    General

                                                    Start time:10:17:47
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff61de10000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: payment invoice.exe PID: 6568 Parent PID: 6660

                                                    General

                                                    Start time:10:17:48
                                                    Start date:09/06/2021
                                                    Path:C:\Users\user\Desktop\payment invoice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0x5c0000
                                                    File size:1043456 bytes
                                                    MD5 hash:845D5DC8393BF7652F744E7FA7DFB3C3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.649963116.0000000006C40000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.649963116.0000000006C40000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650188515.0000000006F20000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650188515.0000000006F20000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650157575.0000000006F10000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650157575.0000000006F10000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.648469077.0000000005280000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.648469077.0000000005280000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.646977313.0000000003C89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650009265.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650009265.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650292848.0000000006F50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650292848.0000000006F50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650225160.0000000006F30000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650225160.0000000006F30000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650482817.0000000006F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650482817.0000000006F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650261294.0000000006F40000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650261294.0000000006F40000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650324913.0000000006F60000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650324913.0000000006F60000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.647259512.0000000003E25000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650370900.0000000006F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650370900.0000000006F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 408 Parent PID: 6568

                                                    General

                                                    Start time:10:17:50
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD79F.tmp'
                                                    Imagebase:0xed0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 4648 Parent PID: 408

                                                    General

                                                    Start time:10:17:51
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff61de10000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: payment invoice.exe PID: 976 Parent PID: 936

                                                    General

                                                    Start time:10:17:52
                                                    Start date:09/06/2021
                                                    Path:C:\Users\user\Desktop\payment invoice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\payment invoice.exe' 0
                                                    Imagebase:0x5e0000
                                                    File size:1043456 bytes
                                                    MD5 hash:845D5DC8393BF7652F744E7FA7DFB3C3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 1688 Parent PID: 976

                                                    General

                                                    Start time:10:18:30
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmp70E1.tmp'
                                                    Imagebase:0xed0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 6236 Parent PID: 1688

                                                    General

                                                    Start time:10:18:32
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff61de10000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: payment invoice.exe PID: 6504 Parent PID: 976

                                                    General

                                                    Start time:10:18:35
                                                    Start date:09/06/2021
                                                    Path:C:\Users\user\Desktop\payment invoice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0x5e0000
                                                    File size:1043456 bytes
                                                    MD5 hash:845D5DC8393BF7652F744E7FA7DFB3C3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Chronological Activities

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >

                                                      Analysis Process: payment invoice.exe PID: 6660 Parent PID: 5984 payment invoice.exeCOMMON

                                                      Executed Functions

                                                      Function 05869790, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 058699D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 8c9ee02fee825480ea46f93c2030cacf183fc2ef619e67af598c8cd68846a3c6
                                                      • Instruction ID: 809da52e13ee583736a55c50075fb71bb2fc2a1d83800024d33f52fcee352419
                                                      • Opcode Fuzzy Hash: 8c9ee02fee825480ea46f93c2030cacf183fc2ef619e67af598c8cd68846a3c6
                                                      • Instruction Fuzzy Hash: FB712470A00B058FDB24DF2AD54576ABBF6FF88204F10892DD94AD7B80DB75E909CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0586576D, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 05865829
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 7060edd4d84fdd5a50b3d8ef1fc2ed9c6d2c37ea60afd89513e9bc1e80305562
                                                      • Instruction ID: a0f538a5810c73f8e0f54783d26d16648a41899da98c5afec14ab79b28512dce
                                                      • Opcode Fuzzy Hash: 7060edd4d84fdd5a50b3d8ef1fc2ed9c6d2c37ea60afd89513e9bc1e80305562
                                                      • Instruction Fuzzy Hash: 7241F2B1C04619CFDB24DFA9C9857DEBBB1BF48308F60806AD909BB251DB745946CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05863F94, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 05865829
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 67cd8b377d0243b101a7966f0aa345cd1a04b784b18880d146cf8805532fd835
                                                      • Instruction ID: 5480df3422ebb9c431d490d71742041b7dede55f373147525e347faff641f408
                                                      • Opcode Fuzzy Hash: 67cd8b377d0243b101a7966f0aa345cd1a04b784b18880d146cf8805532fd835
                                                      • Instruction Fuzzy Hash: 6841E270C0471CCBDB24DFA9C985B9EBBB5BF48308F608069D909BB251DB756945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05992710, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 059927D1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473791385.0000000005990000.00000040.00000001.sdmp, Offset: 05990000, based on PE: false
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: 12d84f658650c0f36bb8eb9b3f90ce188d371a31e7c89675f840be66e6b61e21
                                                      • Instruction ID: 7dad64b0156b060d9df49ce5f17c9b4d93b81bda3e7e0d2f36ae0a0d6ae4095f
                                                      • Opcode Fuzzy Hash: 12d84f658650c0f36bb8eb9b3f90ce188d371a31e7c89675f840be66e6b61e21
                                                      • Instruction Fuzzy Hash: B641F9B8900345DFDF14CF99C488AAABBF5FB88314F29C459E519AB321D774A845CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0586B2BC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0586BC76,?,?,?,?,?), ref: 0586BD37
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 487c835676f8ab0820672677cd2f484c92aa07de60227afb62731006ba82fda1
                                                      • Instruction ID: 68bd66f4ebd3c44d53ce885bf739ea47a2e06b991ff41305b21384b54f92eb8f
                                                      • Opcode Fuzzy Hash: 487c835676f8ab0820672677cd2f484c92aa07de60227afb62731006ba82fda1
                                                      • Instruction Fuzzy Hash: 4021E5B59002589FDB10CFAAD984AEEBBF4FB48324F14841AE915E7310D378A954CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0586BCAB, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0586BC76,?,?,?,?,?), ref: 0586BD37
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 0667afc408be836e608c3f15693bfdf6e9f8f5d49829993be03396551c6026f8
                                                      • Instruction ID: f3387a05c32a13697b3a1143c4dadbc47219d602a5b45a9704b00519651b0e62
                                                      • Opcode Fuzzy Hash: 0667afc408be836e608c3f15693bfdf6e9f8f5d49829993be03396551c6026f8
                                                      • Instruction Fuzzy Hash: 8D21E6B59002589FDB10CFAAD884ADEBBF4FB48324F14841AE915A7310D378A954CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 058691E8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05869A51,00000800,00000000,00000000), ref: 05869C62
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 510dd545a1a679436d045f9a1817211971ed055157cbeaee8ae6eb3f1c14fdda
                                                      • Instruction ID: cce840fc7daf5c0f6dd36c1bd1c85f1d6702d7d839ca9e41178eb638d061659b
                                                      • Opcode Fuzzy Hash: 510dd545a1a679436d045f9a1817211971ed055157cbeaee8ae6eb3f1c14fdda
                                                      • Instruction Fuzzy Hash: 641117B59043498FCB10CF9AC484ADEFBF4EB58314F11842AE915A7240C374A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05869BF1, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05869A51,00000800,00000000,00000000), ref: 05869C62
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 277ad8ce527b934e6de39a1b176c77e3e562ae90e71b8d487a3b4a91f6ca2b2b
                                                      • Instruction ID: 880205ace275c07493108c94d3338606eda21a04066d253c6349954376055d3f
                                                      • Opcode Fuzzy Hash: 277ad8ce527b934e6de39a1b176c77e3e562ae90e71b8d487a3b4a91f6ca2b2b
                                                      • Instruction Fuzzy Hash: 9D1129B6D043498FCB10CFAAC844ADEFBF8FB58314F15842AE915A7240C374A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05869970, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 058699D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 948a0e229a30af96d49e68b86f468843f41bd9880bcfc85992c607ef701d9192
                                                      • Instruction ID: fe776a2c2fa30e8c54b9e7fbcf4181cc62823cc726676d96d45ccea88989bfb1
                                                      • Opcode Fuzzy Hash: 948a0e229a30af96d49e68b86f468843f41bd9880bcfc85992c607ef701d9192
                                                      • Instruction Fuzzy Hash: BE11D2B5C006498FCB10DF9AD444ADEFBF8EB88224F15841AD859B7740D374A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018CD4C4, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.467455764.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 23496b283dfb521262735f6c70d7ba6e6814da155f39819e1c4d19f87cd7a882
                                                      • Instruction ID: eb21c0138db9a49f666dbc2aad2555947bd152d00dc327684b68e5e753911fcc
                                                      • Opcode Fuzzy Hash: 23496b283dfb521262735f6c70d7ba6e6814da155f39819e1c4d19f87cd7a882
                                                      • Instruction Fuzzy Hash: 1A2121B1504244DFCB05EF54D8C0B26BB65FB98728F2086BDE9058A246C336D956CAE1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018DD01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.467529539.00000000018DD000.00000040.00000001.sdmp, Offset: 018DD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e3ff047477e229d2f42f70e5fc919fd39edb01e65d0a06638258729ba7fb6c38
                                                      • Instruction ID: 4ace6000f66248dd341145e4fbcc1f22f7c4387a3d2e91157767a7a71a45c5f0
                                                      • Opcode Fuzzy Hash: e3ff047477e229d2f42f70e5fc919fd39edb01e65d0a06638258729ba7fb6c38
                                                      • Instruction Fuzzy Hash: AC2125B1504304DFCB15DF64D8C0B16BB65FBC4358F24C669E9098B286C736DD47CA61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018DD1D4, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.467529539.00000000018DD000.00000040.00000001.sdmp, Offset: 018DD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 806fb9fdcf0e87c981a74606d325568134166cb7eb955a7edb51cef16f1439c3
                                                      • Instruction ID: b78a7532be723c78f85ee62c56d22701a8651de89cc06e4e8b30f499bd3369a8
                                                      • Opcode Fuzzy Hash: 806fb9fdcf0e87c981a74606d325568134166cb7eb955a7edb51cef16f1439c3
                                                      • Instruction Fuzzy Hash: 9E210A71504304DFDB05DF94D9C0B26BB65FB84328F24C66DE9498B282C736E946CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018DD005, Relevance: .1, Instructions: 60COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.467529539.00000000018DD000.00000040.00000001.sdmp, Offset: 018DD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2d7e0b8362babf74b285e2c7e5897aebf78c5d24f3ecb0773ebbb1fa5329e8cb
                                                      • Instruction ID: 63981ee55043951bd158f22ac6dec6d8c0a0a9e367acfd1d02eaef98e59404bf
                                                      • Opcode Fuzzy Hash: 2d7e0b8362babf74b285e2c7e5897aebf78c5d24f3ecb0773ebbb1fa5329e8cb
                                                      • Instruction Fuzzy Hash: 572192755093C08FCB12CF24D990715BF71EB86314F28C6EAD8498B697C33A994ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018CD4BF, Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.467455764.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                      • Instruction ID: 76eff827fc1e0c17939db1cdbdeae6ef1aa8616d77d37eee286fbaa5e2b5e789
                                                      • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                      • Instruction Fuzzy Hash: 7311E176404280CFCB02DF14D9C0B16BF71FB94724F24C6ADE8454B616C336D55ACBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018DD1CF, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.467529539.00000000018DD000.00000040.00000001.sdmp, Offset: 018DD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aa6bdbb04686500b4f88f9c2907b36233d3495acb1519a01dcdcc91fed9e3004
                                                      • Instruction ID: d70ca5bf91f48580a86d61b186794ab9dfc92390bb785a2917d639c5a41303fc
                                                      • Opcode Fuzzy Hash: aa6bdbb04686500b4f88f9c2907b36233d3495acb1519a01dcdcc91fed9e3004
                                                      • Instruction Fuzzy Hash: A5118B75904280DFDB12CF54D5C4B15BBB2FB84324F28C6A9D8498B696C33AE54ACB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018CD745, Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.467455764.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 194544a763a00963f19d2e50a97724519abb7816f7b92b0eb034bd2df3a03e69
                                                      • Instruction ID: a88959734c42b0ba1cfa0e4e6ce51bb68798ededd9b3b9c72bbb6a3f20d357c6
                                                      • Opcode Fuzzy Hash: 194544a763a00963f19d2e50a97724519abb7816f7b92b0eb034bd2df3a03e69
                                                      • Instruction Fuzzy Hash: 4401F7710083849AE7216F69CD84B67BB98EF41728F18C67EEE089B246D379D944C6F1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 018CD744, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.467455764.00000000018CD000.00000040.00000001.sdmp, Offset: 018CD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f63d7c2077d18a98e3ee492d1a3c4303713505934110497a3749a1819fa8d452
                                                      • Instruction ID: 18c22d11df5aeb2d2fe1c5d29476f2f99dc3c4db1eb9edbd893475c3d57d881d
                                                      • Opcode Fuzzy Hash: f63d7c2077d18a98e3ee492d1a3c4303713505934110497a3749a1819fa8d452
                                                      • Instruction Fuzzy Hash: E6F09671404384AEEB119F1ACCC4B63FF98EB81734F18C56EED085B286C3799844CAB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 0586E570, Relevance: .3, Instructions: 315COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 219494d149e292b0082dd8c55d783625a48bbe1b9893b8d54a0cb198bb0429ca
                                                      • Instruction ID: 8fe5ec662aef4bb2357bd176cd5f9979fa7e6e0c711aba528a764caa68fefa59
                                                      • Opcode Fuzzy Hash: 219494d149e292b0082dd8c55d783625a48bbe1b9893b8d54a0cb198bb0429ca
                                                      • Instruction Fuzzy Hash: B11296F16217468AEB14CF66F89A1897FA1B755328F904308EA612FBD1DFB4314ACF44
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0586C5CC, Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6f4cc35f4537192a40277b9b07bf6dda8488653e98a0d900505418f4004fa95
                                                      • Instruction ID: 18cb98e2a6a8f337c3bcd982e3c49b3fd998ca14b160e1993526a55c8f67b37d
                                                      • Opcode Fuzzy Hash: c6f4cc35f4537192a40277b9b07bf6dda8488653e98a0d900505418f4004fa95
                                                      • Instruction Fuzzy Hash: 86A15B32F116198FCF05DFA5C8449AEBBB2FF89300B15856AE915FB220EB71AD45CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0586E56B, Relevance: .2, Instructions: 218COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.473289601.0000000005860000.00000040.00000001.sdmp, Offset: 05860000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6ff18cd7fd010cd16c4ede20c82861431b98d99159be598c65032e9e272ec850
                                                      • Instruction ID: 466b492d91aa0782c8e78820438fc3d67eb3e990ce9cdfe89ab3d6de864a5283
                                                      • Opcode Fuzzy Hash: 6ff18cd7fd010cd16c4ede20c82861431b98d99159be598c65032e9e272ec850
                                                      • Instruction Fuzzy Hash: EEC11CB1A217458BDB10CF66E89A1897FA1BB95328F504308F9612FBD0DFB4354ACF84
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Analysis Process: payment invoice.exe PID: 6568 Parent PID: 6660 payment invoice.exeCOMMON

                                                      Executed Functions

                                                      Function 06FF3330, Relevance: .5, Instructions: 499COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.650632078.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FE0000, based on PE: true
                                                      • Associated: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 738c246dd5629d4ca638b5335a006a89f04e940c5c15719b75f6e8e586673499
                                                      • Instruction ID: 80748f2aa234171b4d87df575b05ba7783fc6c4f286201c4c21ea785bafcb146
                                                      • Opcode Fuzzy Hash: 738c246dd5629d4ca638b5335a006a89f04e940c5c15719b75f6e8e586673499
                                                      • Instruction Fuzzy Hash: 4C12BD32E24715DFDB64DF2AC08466DBBF6FF84704F198529D2169B264CB34D881CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06FF3F48, Relevance: .2, Instructions: 245COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.650632078.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FE0000, based on PE: true
                                                      • Associated: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8dda805880cd98249ce81ca13c43f7ed601df3338f1f07189c8933d0cbd0732
                                                      • Instruction ID: 742ec6902db9c1e6438e527457f1005d78ff81f383c11a3f0d95f035b2f81a4b
                                                      • Opcode Fuzzy Hash: d8dda805880cd98249ce81ca13c43f7ed601df3338f1f07189c8933d0cbd0732
                                                      • Instruction Fuzzy Hash: 7F918C32F111158FD794EB69C880AAEB7F3AFC8614F2AC074E505DB7A5DB709D018B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0626B860, Relevance: .1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.649262010.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a8dbcbce83518af38ab8cfb0134b3e79cbba82e9f63ff148a89165f9d36f847f
                                                      • Instruction ID: e6e5fd21b4d7bfdf1f86bfbb72e236c738d1859451c41cb08beca19d124aa4cb
                                                      • Opcode Fuzzy Hash: a8dbcbce83518af38ab8cfb0134b3e79cbba82e9f63ff148a89165f9d36f847f
                                                      • Instruction Fuzzy Hash: F151D578E01249DFDB04EFA4E955AAEBBB2FF49301F148029E805B73A4DB345946CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0291B6C9, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0291B730
                                                      • GetCurrentThread.KERNEL32 ref: 0291B76D
                                                      • GetCurrentProcess.KERNEL32 ref: 0291B7AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 0291B803
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 296a25a0ed9018fbbd1c32a94ba8ba2c00e75a288186678a59ad89004507e5f7
                                                      • Instruction ID: b0b0c1e05777507737058376be7be434b792f05e2fa7b76522bb5cbc42093ae3
                                                      • Opcode Fuzzy Hash: 296a25a0ed9018fbbd1c32a94ba8ba2c00e75a288186678a59ad89004507e5f7
                                                      • Instruction Fuzzy Hash: 725165B4E043498FDB10CFAAC698BEEBBF1AF48318F208499E019A7350C7745884CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0291B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0291B730
                                                      • GetCurrentThread.KERNEL32 ref: 0291B76D
                                                      • GetCurrentProcess.KERNEL32 ref: 0291B7AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 0291B803
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: f1504944f7538d08645b8f4c9133edad23d7a46a6c79d39f5620943619ff1f0a
                                                      • Instruction ID: d4a3c496d00ce34e152c219a43102c4be245dddf1e304a491549264f92d11ef0
                                                      • Opcode Fuzzy Hash: f1504944f7538d08645b8f4c9133edad23d7a46a6c79d39f5620943619ff1f0a
                                                      • Instruction Fuzzy Hash: 865145B4D047498FDB10DFAAC698BEEBBF5AF48318F208499E419A7350C7745844CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06263178, Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.649262010.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c1d82f0e546afb16c9f02d64f02d5c87f9224346950af84715f59ddddc7e86d
                                                      • Instruction ID: 8df45c5a57fb09efca67e3b9677f0ca9fecee7b60423d9e912641af70f64761c
                                                      • Opcode Fuzzy Hash: 3c1d82f0e546afb16c9f02d64f02d5c87f9224346950af84715f59ddddc7e86d
                                                      • Instruction Fuzzy Hash: EF815771D14309CFDB50DFAAC8806DEBBB1FF48314F20852AE915AB240DB74998ACF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 029193E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0291962E
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 30a4c89b92a56bf541c8f770681469c35a96d3be240d508c59010da53a5d822e
                                                      • Instruction ID: 3b4e2c077bb623906da0f0e60164582535c3fa970d95cfef36bb3b75f7f8cb49
                                                      • Opcode Fuzzy Hash: 30a4c89b92a56bf541c8f770681469c35a96d3be240d508c59010da53a5d822e
                                                      • Instruction Fuzzy Hash: 257114B0A00B098FE764DF2AD05175AB7F5FF88218F008A2DE58AD7A50D774E845CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0291FB2C, Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0291FD0A
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 7d46cbfd48a5841976887b726a950b0224d50fa0e705616977e66b38b655f408
                                                      • Instruction ID: 135ec59ffd481f7d82165007421436662c83a31510986d77b72dfa9b3e1c20eb
                                                      • Opcode Fuzzy Hash: 7d46cbfd48a5841976887b726a950b0224d50fa0e705616977e66b38b655f408
                                                      • Instruction Fuzzy Hash: 2C5132B1C0434C9FDB11CFAAC890ADEBFB1BF49314F24816AE808AB252D7749945CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0626267C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06263358
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.649262010.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                      Similarity
                                                      • API ID: Query_
                                                      • String ID:
                                                      • API String ID: 428220571-0
                                                      • Opcode ID: f5453a4d8ee626c38445ec9ce2ccef16ce1ac0c1d70572f7d0272ff99588a089
                                                      • Instruction ID: 714590f9114791bca4c87e4aa7f69af62843b181042439b5cbb56ff6175b507d
                                                      • Opcode Fuzzy Hash: f5453a4d8ee626c38445ec9ce2ccef16ce1ac0c1d70572f7d0272ff99588a089
                                                      • Instruction Fuzzy Hash: 63512471D14259DFDB50CFAAC980BDEBBB5FF48314F24842AE815A7240DB74A886CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06263224, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06263358
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.649262010.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                      Similarity
                                                      • API ID: Query_
                                                      • String ID:
                                                      • API String ID: 428220571-0
                                                      • Opcode ID: 36b2eed3675bcfbf9eaff4c868943264f4ecf97fa289d578cde68ecc688c95ca
                                                      • Instruction ID: bd8eec124c0a9be471a354eb3df6c1256cfbd1b20fbeb1c55699d6cd8ef6bc1b
                                                      • Opcode Fuzzy Hash: 36b2eed3675bcfbf9eaff4c868943264f4ecf97fa289d578cde68ecc688c95ca
                                                      • Instruction Fuzzy Hash: FF512271D10219CFDB50CFAAC980BDEBBB1FF48314F24842AE815A7240DB74A886CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0291FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0291FD0A
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: f0fb7d79d9ffbea8db1b5b7837005ca1f00674254bb45d3fffe730a50c9997d4
                                                      • Instruction ID: 76909de4111d72d0e96297d76c4c8e965952f0422000d163cb2c101b093e9687
                                                      • Opcode Fuzzy Hash: f0fb7d79d9ffbea8db1b5b7837005ca1f00674254bb45d3fffe730a50c9997d4
                                                      • Instruction Fuzzy Hash: DE41C0B5D0030D9FDF14CF9AC884ADEBBB5BF88314F64852AE819AB210D774A845CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0291BDC1, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0291BD87
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: d41c1ef8f78142b8a7bdd76bce4191ce9d06e19408ba7944c503a2e956f8c3c1
                                                      • Instruction ID: 29c230fb7c1cda8d189d43b3d9d339bc0628b2b8cc5053ae9bbb49b6fd186a77
                                                      • Opcode Fuzzy Hash: d41c1ef8f78142b8a7bdd76bce4191ce9d06e19408ba7944c503a2e956f8c3c1
                                                      • Instruction Fuzzy Hash: 67416D78E80348DFE7459F71E544BAA7BB9EBC9302F504629EA118B3C5EB790C51CB10
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06260EF0, Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 06260FC9
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.649262010.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                      Similarity
                                                      • API ID: CurrentThread
                                                      • String ID:
                                                      • API String ID: 2882836952-0
                                                      • Opcode ID: 7dd165dbb82c347d94f5277e3050f331f3d91b110f3d33314af90b45b8a9bcba
                                                      • Instruction ID: c08fdf0bc6e69e2dcd347af53a157cbb553d98c680bf352f42fee7af748bcf96
                                                      • Opcode Fuzzy Hash: 7dd165dbb82c347d94f5277e3050f331f3d91b110f3d33314af90b45b8a9bcba
                                                      • Instruction Fuzzy Hash: 2A316A70E20258DFDB54DF6AC588BAEBBF5AF88714F148069E805A7350CB74A885CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06260EE1, Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 06260FC9
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.649262010.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false
                                                      Similarity
                                                      • API ID: CurrentThread
                                                      • String ID:
                                                      • API String ID: 2882836952-0
                                                      • Opcode ID: 6f5a02d0c3c96974b5ac21d70d94663209d1130b0696d6ce67a5e85e17b4a44c
                                                      • Instruction ID: df8e3cfc783c3a297c6212c87fb31fcc49c56c01ffebeabee7ebb9e9a9048c1d
                                                      • Opcode Fuzzy Hash: 6f5a02d0c3c96974b5ac21d70d94663209d1130b0696d6ce67a5e85e17b4a44c
                                                      • Instruction Fuzzy Hash: 70317871D20208DFDB50DFAAD488BADBBF5EF48314F14842AE805A7390CB746885CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0291BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0291BD87
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 20eeb5f6f7abf162c5f12d33af408c5cd5149fb503efd2281e5fa642d3247781
                                                      • Instruction ID: 852c6b76c840f0735452fb9c7bf0d6e7127746ed101d63e2aa5ca2f57816186f
                                                      • Opcode Fuzzy Hash: 20eeb5f6f7abf162c5f12d33af408c5cd5149fb503efd2281e5fa642d3247781
                                                      • Instruction Fuzzy Hash: B521E6B5D002099FDB10DFAAD584ADEBBF9EB48324F14841AE918A7310D378A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0291BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0291BD87
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 52f9273770d6c726c347fdfd8f3a9578708af4c9be7f1bbc12d65510b109aa27
                                                      • Instruction ID: b441c67fd4678433932cf8f5c29591684739c7713136ff9f93003c0afdf63e31
                                                      • Opcode Fuzzy Hash: 52f9273770d6c726c347fdfd8f3a9578708af4c9be7f1bbc12d65510b109aa27
                                                      • Instruction Fuzzy Hash: 1321C4B5D002499FDB10DFAAD984ADEBBF9EB48324F14845AE914A3310D378A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02918768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,029196A9,00000800,00000000,00000000), ref: 029198BA
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 2b82ad23d0baf26da95a26864c3268189049eb055ba903a5ecdb75e28d4715dc
                                                      • Instruction ID: c9d321a156a1e4d6b5e32fc33f6d7f47073c701f57345e137f65daf8e282c136
                                                      • Opcode Fuzzy Hash: 2b82ad23d0baf26da95a26864c3268189049eb055ba903a5ecdb75e28d4715dc
                                                      • Instruction Fuzzy Hash: 621103B6D003098FDB10DF9AC444BDEBBF8EB88324F14846EE515A7600C375A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02919849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,029196A9,00000800,00000000,00000000), ref: 029198BA
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 69c9b70b22d9b73509edcf52e0bf7119d5ba0ca1b0a67d00e640d8f6aaf7acb5
                                                      • Instruction ID: a8843aa56a6b5b5457a2fb63623dcfa544a2d0e7bb75d1915afc24f495908e19
                                                      • Opcode Fuzzy Hash: 69c9b70b22d9b73509edcf52e0bf7119d5ba0ca1b0a67d00e640d8f6aaf7acb5
                                                      • Instruction Fuzzy Hash: 0D11E2B6D002099FDB10DF9AC844BDEFBF8AB88324F14846EE519A7600C375A545CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0291984C, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,029196A9,00000800,00000000,00000000), ref: 029198BA
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: ea5fcbe5a26818d67d6e0dd5706623f1aff0f3b2b91aa044d47df8ec92d7f75e
                                                      • Instruction ID: 3ae2764e8f7729c085d95afc62884278d7aabe60181c0b1417fe9de7f7e123b7
                                                      • Opcode Fuzzy Hash: ea5fcbe5a26818d67d6e0dd5706623f1aff0f3b2b91aa044d47df8ec92d7f75e
                                                      • Instruction Fuzzy Hash: 651112B6D002498FDB10DFAAC444BDEFBF8EB88324F14846AE519A7200C379A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 029195C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0291962E
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 8d4f3393cc9c9700a8d8cefa7ae39b478eea125b64095158587756d542eaed4e
                                                      • Instruction ID: 16e058ed51a4aebe2182cc2061dc4424de66bd736d3766658c0475b45d844b19
                                                      • Opcode Fuzzy Hash: 8d4f3393cc9c9700a8d8cefa7ae39b478eea125b64095158587756d542eaed4e
                                                      • Instruction Fuzzy Hash: 5811E0B5D007498FDB10DF9AC444BDEFBF8AB88228F14886AD819A7600C379A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0291FE3B, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 0291FE9D
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: 37e0e6b8b4c4613f6496f01c462fe1d5a882d7ca5608cdf910339e12b2cc6d73
                                                      • Instruction ID: e5bf45e676a041f76f21fc0d92d4bc2b543157eefc7e897ab9205ebfeba0d839
                                                      • Opcode Fuzzy Hash: 37e0e6b8b4c4613f6496f01c462fe1d5a882d7ca5608cdf910339e12b2cc6d73
                                                      • Instruction Fuzzy Hash: C11115B59003498FDB10DF9AD585BDEBBF8EB48324F10845AE919A7700C375A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0291FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 0291FE9D
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.642830967.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: c604a085b08b6f0903db3a52a58448e648ffa8353fb04c9e8b1e66c93583201d
                                                      • Instruction ID: a712b576b3827370ff9e6db2a1c366760499f8c571048f77e9810be291ad2c54
                                                      • Opcode Fuzzy Hash: c604a085b08b6f0903db3a52a58448e648ffa8353fb04c9e8b1e66c93583201d
                                                      • Instruction Fuzzy Hash: 4011E2B59003499FDB10DF9AD585BDFBBF8EB48324F10885AE919A7740C374A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06FF3090, Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.650632078.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FE0000, based on PE: true
                                                      • Associated: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: r*+
                                                      • API String ID: 0-3221063712
                                                      • Opcode ID: 74f0b5c3a1d878fed0e09866319c8ba85fdc15b3e647d3b100748bbc3e23b8ec
                                                      • Instruction ID: 48a28e7319ebdadd3b3db191173dc73855f3a65ab1aa14a67413f93a68c62030
                                                      • Opcode Fuzzy Hash: 74f0b5c3a1d878fed0e09866319c8ba85fdc15b3e647d3b100748bbc3e23b8ec
                                                      • Instruction Fuzzy Hash: DE6118B9D1020A9FDF54DFAAD4445ADBBB1EF48310F00A559E502EB260DB31A941CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CAD4A0, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.641799534.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c14fa9d70a7a425b4b901670dcf983a19fc656854963740a2270bb4681fd7810
                                                      • Instruction ID: 618615fe3b9a5958d123b65db15851a5d540526ecec92730e5f83acfa8abf636
                                                      • Opcode Fuzzy Hash: c14fa9d70a7a425b4b901670dcf983a19fc656854963740a2270bb4681fd7810
                                                      • Instruction Fuzzy Hash: 912145B1904201DFDB05DF14D8C0B26BF65FB8832CF308568E9070B606C336D956DBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CBD01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.641841321.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9134d83d3f9407b769b5ecfc92ee73ce237846fb47e23a6fdf3ff7b6d7f59952
                                                      • Instruction ID: 5d5a95591a402d8ccd5d75beeeaf41c2ddd97e5bba614b5a7b3283fc67c16cd1
                                                      • Opcode Fuzzy Hash: 9134d83d3f9407b769b5ecfc92ee73ce237846fb47e23a6fdf3ff7b6d7f59952
                                                      • Instruction Fuzzy Hash: E2210775504240DFCB14EF24E9C0B56BB65FB84318F34C5A9E90A4B246D736D847CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CBD005, Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.641841321.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4749089e83a5248c96353e6f8fada5f92c92063a018341c0d977f7ef127e2237
                                                      • Instruction ID: 343aafd051a04f4f59f5cba6390bc4d12f101951a4c9e9c841eb51c8c0a0a1a2
                                                      • Opcode Fuzzy Hash: 4749089e83a5248c96353e6f8fada5f92c92063a018341c0d977f7ef127e2237
                                                      • Instruction Fuzzy Hash: 9C219F755093C08FCB02DF24D990B55BF71EB46314F28C5EAD8498F6A7C33A984ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CAD49B, Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.641799534.0000000000CAD000.00000040.00000001.sdmp, Offset: 00CAD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                      • Instruction ID: d2f53e0a540e48c3367b81455285b461c42b38474b7ff555311b0ead635ae9e4
                                                      • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                      • Instruction Fuzzy Hash: CD11E6B6804280CFCF12CF14D5C4B16BF72FB95328F24C6A9D8060B616C336D95ACBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06FF2FC0, Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.650632078.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FE0000, based on PE: true
                                                      • Associated: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 323faf97fe97ec03e5786aaf3a9a16e86ab727f59621b8e9e5e13e0a2a6f7cc7
                                                      • Instruction ID: 1bb707bb4b2586691ba8f5c01b35eb0647098bc1f0f8c62bb9f5a2d27867135f
                                                      • Opcode Fuzzy Hash: 323faf97fe97ec03e5786aaf3a9a16e86ab727f59621b8e9e5e13e0a2a6f7cc7
                                                      • Instruction Fuzzy Hash: 5EF06232315390EF47982BA6A52C42E3BE79BC86563440057E70BC33A0DE714D0347E6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06FF2AE0, Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.650632078.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FE0000, based on PE: true
                                                      • Associated: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b8791a5e6af9d07a23575de5e2c41cb83081d0a96eb7d95812f6b8d8ee4aaae
                                                      • Instruction ID: 25dca6a631c4110ed0ec1ef5940802705918425c462dd44808532e2e1178e221
                                                      • Opcode Fuzzy Hash: 0b8791a5e6af9d07a23575de5e2c41cb83081d0a96eb7d95812f6b8d8ee4aaae
                                                      • Instruction Fuzzy Hash: 0AF0CD123165A41BD37433B8942532FA5CB8FC7254F0A886EF64B9B7C2CE999D0523F2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06FF2A20, Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.650632078.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FE0000, based on PE: true
                                                      • Associated: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2d6aeb629b4fbe46ea2509a7e58a0b11db6dbd5c275a1242a1690841b9b170b2
                                                      • Instruction ID: 8d6acfc9910cdfbf591a4c40777e692dd4d874cb86ed24cfd5dbe1f9cae93065
                                                      • Opcode Fuzzy Hash: 2d6aeb629b4fbe46ea2509a7e58a0b11db6dbd5c275a1242a1690841b9b170b2
                                                      • Instruction Fuzzy Hash: 3EF0A9122165A51BD27433A9942136BA5CB8FC7254F0A886DF24AAB7C1CE999D0513B2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06FF2AB0, Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.650632078.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FE0000, based on PE: true
                                                      • Associated: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 44f871152670279ef5bc0ef8e02b79d01888b2d1c633bbd46510c957566435f1
                                                      • Instruction ID: 1e2126d30b8ec77d925b9a6584b529bdcb724c5a88f3075c77d800d8fc607de2
                                                      • Opcode Fuzzy Hash: 44f871152670279ef5bc0ef8e02b79d01888b2d1c633bbd46510c957566435f1
                                                      • Instruction Fuzzy Hash: CAC08071274204DBE758D7557851B3533DB67C8700F0CC410F50E45165856159014090
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06FF3E58, Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.650632078.0000000006FF0000.00000040.00000001.sdmp, Offset: 06FE0000, based on PE: true
                                                      • Associated: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 25d1df9ab6cd28e2fc7e9c6f10314000ebc7f2fd8db10a8b4e65919710407f87
                                                      • Instruction ID: 9dfd5e4232d2a71e961ec42c46dce78f04dc4de2d2df49bb919624f82e06a584
                                                      • Opcode Fuzzy Hash: 25d1df9ab6cd28e2fc7e9c6f10314000ebc7f2fd8db10a8b4e65919710407f87
                                                      • Instruction Fuzzy Hash: 05B0123277430C4BEBA057FA7C4436633CC9F80A1CF4000B2F70CC2940F586E8600080
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Analysis Process: payment invoice.exe PID: 976 Parent PID: 936 payment invoice.exeCOMMON

                                                      Executed Functions

                                                      Function 0553EAF8, Relevance: .6, Instructions: 623COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.574318063.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a8ae15fe341e910289b6941912a9936e509ffac69b74190aa3a08c25ac57cb1
                                                      • Instruction ID: 2e8d8d4cab83dc39a958cd9e4ac95918bfb3a9830b7aac7828f4be87bc400c54
                                                      • Opcode Fuzzy Hash: 0a8ae15fe341e910289b6941912a9936e509ffac69b74190aa3a08c25ac57cb1
                                                      • Instruction Fuzzy Hash: 0532D234B042148FCB15DF68C496A6EBBF6BF85300F1684A9E40ADB3A5DB35EC45CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0553F910, Relevance: .3, Instructions: 318COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.574318063.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 622095568209a9607ddee12829a0e36d9d9431290464021350bf264efb20decf
                                                      • Instruction ID: 41811691cf21cdec69a06a68e99aa4d476e93579ca958b6e416a123866a2b70d
                                                      • Opcode Fuzzy Hash: 622095568209a9607ddee12829a0e36d9d9431290464021350bf264efb20decf
                                                      • Instruction Fuzzy Hash: 1ED12875E002189FDB14DFA9C885AAEBBB2FF89304F118169E509AB365EB349D41CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 028A9790, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 028A99D6
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568479671.00000000028A0000.00000040.00000001.sdmp, Offset: 028A0000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: ad74b4bbcbf37a0342a50379a8bbe91a1486cb099c997567929469731314506a
                                                      • Instruction ID: 5de9fd0a10fa32a2934ef330870afb1a686687b01fef4ab8aba587aa94c7b04b
                                                      • Opcode Fuzzy Hash: ad74b4bbcbf37a0342a50379a8bbe91a1486cb099c997567929469731314506a
                                                      • Instruction Fuzzy Hash: DB712478A04B058FE724DF2AC45579AB7F5FF88204F04892DD54AD7A40DB74E905CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 028A576D, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 028A5829
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568479671.00000000028A0000.00000040.00000001.sdmp, Offset: 028A0000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 4deb3e738e9b78fdcb7de8c7c1b176726c65862d2da43873e1221ff1b870bdfa
                                                      • Instruction ID: b5b9b37bbd131f356a1580aa447a07643ee8c0e908ca0a5286daefd074ce91ff
                                                      • Opcode Fuzzy Hash: 4deb3e738e9b78fdcb7de8c7c1b176726c65862d2da43873e1221ff1b870bdfa
                                                      • Instruction Fuzzy Hash: 02411575C04619CFEB24DFA9C8847CEBBB1FF58308F60805AD509AB251DB756986CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 028A3F94, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 028A5829
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568479671.00000000028A0000.00000040.00000001.sdmp, Offset: 028A0000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: f49cfd29c9dcc56b29fc1f17263ffc293fb4084ba80de77429899da1612dbcb4
                                                      • Instruction ID: 911ebfa2173372c58a67756bcaa40269a2970580719746248862eec48447903f
                                                      • Opcode Fuzzy Hash: f49cfd29c9dcc56b29fc1f17263ffc293fb4084ba80de77429899da1612dbcb4
                                                      • Instruction Fuzzy Hash: CA410274C0461CCFEB24DFA9C884B9EBBB5BF48308F608469D509BB250DB756986CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 028ABCAA, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028ABC76,?,?,?,?,?), ref: 028ABD37
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568479671.00000000028A0000.00000040.00000001.sdmp, Offset: 028A0000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 6faa280d6431a1edc31ce5dc9e00c804d61b8c0959cd1f62bd801ec725bd8de0
                                                      • Instruction ID: cc3b797e5fa2d4a6011250e06f005c286953446fd704c1db7df96ecf78f94b81
                                                      • Opcode Fuzzy Hash: 6faa280d6431a1edc31ce5dc9e00c804d61b8c0959cd1f62bd801ec725bd8de0
                                                      • Instruction Fuzzy Hash: D42114B9D002499FDB10DFAAD884ADEBBF4FB58324F14841AE914A3310C378A945CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 028AB2BC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,028ABC76,?,?,?,?,?), ref: 028ABD37
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568479671.00000000028A0000.00000040.00000001.sdmp, Offset: 028A0000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: c2ab19eea4407986598049b7d68468d1533499d8d2d6d59404e9907c48840da8
                                                      • Instruction ID: 3e1cb3899618c39a179a6a457daed9debdbd03b828870ed89fe8ac0178b2e81e
                                                      • Opcode Fuzzy Hash: c2ab19eea4407986598049b7d68468d1533499d8d2d6d59404e9907c48840da8
                                                      • Instruction Fuzzy Hash: 892116B9900248DFDB10CF9AD884ADEBBF4EB48324F14845AE914B3310C774A954CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 028A9BF1, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028A9A51,00000800,00000000,00000000), ref: 028A9C62
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568479671.00000000028A0000.00000040.00000001.sdmp, Offset: 028A0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: e1c77c21d2dfd7794309919ed10b4e5eef6285c65d95fcbe9328f9662953a9cb
                                                      • Instruction ID: 785e8804db251ae705dbde70a0982bfebe92dd3d58cd3fcc0a66cd0a932b4db2
                                                      • Opcode Fuzzy Hash: e1c77c21d2dfd7794309919ed10b4e5eef6285c65d95fcbe9328f9662953a9cb
                                                      • Instruction Fuzzy Hash: FC1129BAD04249CFDB10DF9AC484ADEFBF4EB58314F14841EE519A7200C774A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 028A91E8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028A9A51,00000800,00000000,00000000), ref: 028A9C62
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568479671.00000000028A0000.00000040.00000001.sdmp, Offset: 028A0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 9edc07db6e4a5663c5bacedf3df3e8ef973167de183085866c8e794791ed4e3a
                                                      • Instruction ID: c27c44e276d5a100c448e9db1ebc266beec79ec776f6698fedd6d9bfde06e44e
                                                      • Opcode Fuzzy Hash: 9edc07db6e4a5663c5bacedf3df3e8ef973167de183085866c8e794791ed4e3a
                                                      • Instruction Fuzzy Hash: 3F1117BA904649DFDB10CF9AC444AEEFBF4EB58314F14842AE515A7200C774A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 028A9970, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 028A99D6
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568479671.00000000028A0000.00000040.00000001.sdmp, Offset: 028A0000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: a72891d9faa9a3f277f49e215841f591cb8fcbeeb0736375678c5fb23b70c94f
                                                      • Instruction ID: 28e1cf0dbec4930c24b7c4eaf774022c1903d9a578d7f795e4ed1c488d534e7e
                                                      • Opcode Fuzzy Hash: a72891d9faa9a3f277f49e215841f591cb8fcbeeb0736375678c5fb23b70c94f
                                                      • Instruction Fuzzy Hash: BD110FBAC002498FDB10CF9AC444ADEFBF8AB88224F14845AD459A7300D378A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 084912E1, Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: XU\4
                                                      • API String ID: 0-1915810535
                                                      • Opcode ID: adc6fbf0248394d283086974bf886fef4adf902048627b50ec06adfde603bac7
                                                      • Instruction ID: 1ca9089eb0e18aeb718241835787402c45a9bb0887afbc1e08d503ba92302c44
                                                      • Opcode Fuzzy Hash: adc6fbf0248394d283086974bf886fef4adf902048627b50ec06adfde603bac7
                                                      • Instruction Fuzzy Hash: 9D3148B0D0521ADFDF24CFA5C5406AEBFF2EB4A201F5485ABC459B7650D3388A06CF55
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 084912F0, Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID: XU\4
                                                      • API String ID: 0-1915810535
                                                      • Opcode ID: 2e10c99fea8c91ed6c7ffa4cb8a3799c568a838ec7a5a9723815454de4902062
                                                      • Instruction ID: c4899c6e3003bfd13eab9c686a1b2544918387cedadc4f1417d3e69467bf1334
                                                      • Opcode Fuzzy Hash: 2e10c99fea8c91ed6c7ffa4cb8a3799c568a838ec7a5a9723815454de4902062
                                                      • Instruction Fuzzy Hash: 843168B0D0521ADFDF24CFAAC1006AEBFF2AB49201F5485ABC058B3250D3388A02CF95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0553F460, Relevance: .3, Instructions: 305COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.574318063.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c149dc75151981f343e72f8144b321c87735c7c5b1ba4608ac2f40eab23433bd
                                                      • Instruction ID: 166974659b8e6f0c23d5996e5829331058abcac413fabe78097000ac57e81e6f
                                                      • Opcode Fuzzy Hash: c149dc75151981f343e72f8144b321c87735c7c5b1ba4608ac2f40eab23433bd
                                                      • Instruction Fuzzy Hash: 70C14D30B142199FDB14DF64D995AAE7BF6BF89314F118068E50ADB3A0DB38DC41CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00FAD4C4, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.567950696.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 80b903c5a6b8eed7ae0dc8a100c0cf5b02d666eeaa84b55f375bdaa132dcfee5
                                                      • Instruction ID: 030142401568979a6326ade8945f989d15190fa1d380b5c14995cfef2f65b683
                                                      • Opcode Fuzzy Hash: 80b903c5a6b8eed7ae0dc8a100c0cf5b02d666eeaa84b55f375bdaa132dcfee5
                                                      • Instruction Fuzzy Hash: CB2125F6D04240DFCB05DF14D8C0B26BF65FB89328F288569E9064B646C336D856EBB2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0276D1D4, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568124925.000000000276D000.00000040.00000001.sdmp, Offset: 0276D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5269d15b848e9330de08d9ec588d1d323ed9c93b44d28d5cd4afadfbd2502e5
                                                      • Instruction ID: b4725a8ec8ffc44230c65c45ec2db7d33c4304c16a0f3ba4c18eba133e2b64e3
                                                      • Opcode Fuzzy Hash: f5269d15b848e9330de08d9ec588d1d323ed9c93b44d28d5cd4afadfbd2502e5
                                                      • Instruction Fuzzy Hash: 7C2125B1614200DFDB24DF10C9C4B36BB65FB88318F24C5A9ED095B242C736D846CA61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0276D01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568124925.000000000276D000.00000040.00000001.sdmp, Offset: 0276D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ad75271a50693a09f8cb0d62ef140be9507736ab2fefdd9bcd24f643ae2b124b
                                                      • Instruction ID: a06cb2b45226d7b97a0847feeb67d19bc366ccf9d9412c22c35d8ccabd9d4359
                                                      • Opcode Fuzzy Hash: ad75271a50693a09f8cb0d62ef140be9507736ab2fefdd9bcd24f643ae2b124b
                                                      • Instruction Fuzzy Hash: 8B21F2B5604244DFDB24DF24D9C8B26BB65FB88318F24C5A9ED0A4B246C737D847CAA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08490438, Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e79ba64c3bc122afc00e45e31c8639f66f33b9387201b76342d83a427a1ecbf2
                                                      • Instruction ID: 5c2eba6494accce149ab51604784f253c1981af5b5abe5b0162936f632f3a8bb
                                                      • Opcode Fuzzy Hash: e79ba64c3bc122afc00e45e31c8639f66f33b9387201b76342d83a427a1ecbf2
                                                      • Instruction Fuzzy Hash: 51219F72A05A418BDB24CF29C8947ABBFE2EF85215F08C46FD599CB356DB309841C791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08490448, Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51f3b74bd1310f8fa891a0359469c69f800d6c06ff31c91f58932c97efbee084
                                                      • Instruction ID: 48f3ec6dda189665ae38d4afa72dc1f8067836950f13b2387c780135f27cc242
                                                      • Opcode Fuzzy Hash: 51f3b74bd1310f8fa891a0359469c69f800d6c06ff31c91f58932c97efbee084
                                                      • Instruction Fuzzy Hash: 0B117C31B00A018BDB28DE29C8907ABBBE2AF88215F08C43E955DCB355DF309C418BA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0276D007, Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568124925.000000000276D000.00000040.00000001.sdmp, Offset: 0276D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2f8b52089efb2951034341c97f3020b160520c5dbae84cd716c26a4c54979a3
                                                      • Instruction ID: f19d4f7e7f2be1f7aebf60d5d47a3914de075a07def5d99d681bb6dab07b9102
                                                      • Opcode Fuzzy Hash: b2f8b52089efb2951034341c97f3020b160520c5dbae84cd716c26a4c54979a3
                                                      • Instruction Fuzzy Hash: C7216F755093C08FCB12CF24D994B25BF71EB46214F28C5DAD8898F667C33AD84ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08491159, Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c37d93029bf70cbf047a60ffcfbefeb1bb3ae6021b6259159cf1f0fe446ad9a
                                                      • Instruction ID: 9504a5be8bb1702ba47124c80f3a2b698b0d8c4feecdc8442debec4024117a1e
                                                      • Opcode Fuzzy Hash: 6c37d93029bf70cbf047a60ffcfbefeb1bb3ae6021b6259159cf1f0fe446ad9a
                                                      • Instruction Fuzzy Hash: 27118B71D01646AFDB60DB69D845AAA7FF1FF08202B0485AFD489C7621E73A8942CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08490320, Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b89d669f5c08e28b7bc3932a98bd27dcde26bf04d52fd12946eef93e82da5b7d
                                                      • Instruction ID: 6c708a86ba05fc11b6973c81cfbdd1c01140d15781d03e0c2abfbf355496ae8d
                                                      • Opcode Fuzzy Hash: b89d669f5c08e28b7bc3932a98bd27dcde26bf04d52fd12946eef93e82da5b7d
                                                      • Instruction Fuzzy Hash: F4112C70E01606CFCB24DFA9C444AAEFBF1AF48219F5584AAD458AB351D739D942CF80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08491168, Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c9a4d097f9f57e6ec75120060c5922d38c8e9d56291bb166687e902e29890d3a
                                                      • Instruction ID: 1849eda42ac105a41003bc872cdbad7e79ecc067d397b18be203a5e866a31a45
                                                      • Opcode Fuzzy Hash: c9a4d097f9f57e6ec75120060c5922d38c8e9d56291bb166687e902e29890d3a
                                                      • Instruction Fuzzy Hash: B811E331D05386AFDB21DF7A8805A5A7FF5EF4A601B0485AFD484CB222E739C806CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00FAD4BF, Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.567950696.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                      • Instruction ID: 5e3b03d2e2fe595f33ad7e89920fdbeb1271e689445499f8ad51740f64273cd2
                                                      • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                      • Instruction Fuzzy Hash: 2211D3B6C04280CFCB15CF14D5C4B1ABF71FB95328F28C6A9D8450B616C336D85ADBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08490330, Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b17a32a2735f52ef2912b8460c5e1bd533e18fd04efe48c839d1218ea9d87e0c
                                                      • Instruction ID: 6a4648801acc9ba207db456f4ccd6119453d5bb0bbf485d8069f6394da1304ac
                                                      • Opcode Fuzzy Hash: b17a32a2735f52ef2912b8460c5e1bd533e18fd04efe48c839d1218ea9d87e0c
                                                      • Instruction Fuzzy Hash: 85018E30715A10CBDF349A1DD544927BFF6EBC9B16B04886EE4CA86741DB39E8028694
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0276D1CF, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.568124925.000000000276D000.00000040.00000001.sdmp, Offset: 0276D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aa6bdbb04686500b4f88f9c2907b36233d3495acb1519a01dcdcc91fed9e3004
                                                      • Instruction ID: 15c8f48e1a8c08a8b1372dd1e5573bd4257cffacf94bd5c9f749fe39b02505fa
                                                      • Opcode Fuzzy Hash: aa6bdbb04686500b4f88f9c2907b36233d3495acb1519a01dcdcc91fed9e3004
                                                      • Instruction Fuzzy Hash: 7D118B75A04280DFCB21CF14D5C4B26BBA1FB84224F28C6A9DC494B656C33AD44ACB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08490B13, Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b9f66e4b0d94fc8a4f16c9ae244621d1975c86895b87329f51b3c4677c316495
                                                      • Instruction ID: 52590e5e559651bbaa242d0ff7a87e1528682fae2a9e9ed22d6ba8d84bda1c71
                                                      • Opcode Fuzzy Hash: b9f66e4b0d94fc8a4f16c9ae244621d1975c86895b87329f51b3c4677c316495
                                                      • Instruction Fuzzy Hash: BD113D70E01645CFDB24DFA9C444A6EBBF1AF48205F1984AEC454AB361D7349942CF80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08491218, Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 69d089a02aebb73723b1d81c8c8f918275e485b94f9380bf73f9da99291953d2
                                                      • Instruction ID: e87bd6cd5f28c85488c8c2623044376bf06d425c91212f8e656bccec2c8e9794
                                                      • Opcode Fuzzy Hash: 69d089a02aebb73723b1d81c8c8f918275e485b94f9380bf73f9da99291953d2
                                                      • Instruction Fuzzy Hash: BF0126393057808FCF27A7659C4082E7F679FD2211709809BD4C88F2B2EB398C16C356
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00FAD745, Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.567950696.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3d9cd4ccbfd1758d4f6e5fd60773a3e2f59473b72a4b4b737c6973a5b5f664c9
                                                      • Instruction ID: ebd37e79a9fc2a696c54df0bf1f8d3de1a90e54370b09cc43eb5734b229c60ce
                                                      • Opcode Fuzzy Hash: 3d9cd4ccbfd1758d4f6e5fd60773a3e2f59473b72a4b4b737c6973a5b5f664c9
                                                      • Instruction Fuzzy Hash: 27017BB24083409AE7245F26CC84B67BB9CDF42338F18845AEE065B642C3399844EAB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00FAD744, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.567950696.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c7176b313c7c0f3ce81a18bf82f07b6c22f349d37e9f2169dc1a4f904b2605e1
                                                      • Instruction ID: 8f9c22abb31f73a3e7847ef7a0de00228e3c24a0728563f8f0ff0e6aa8d2a274
                                                      • Opcode Fuzzy Hash: c7176b313c7c0f3ce81a18bf82f07b6c22f349d37e9f2169dc1a4f904b2605e1
                                                      • Instruction Fuzzy Hash: 36F0F6B24043449EE7148F16CCC8B62FF98EB52334F18C05AED094B686C3799C44DAB0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08491203, Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5586e7caa1bd8b0b9f15b1a5a9c8c3e2f96db5f07e8704222eef7579d01698f3
                                                      • Instruction ID: b08c29d2e3cd03c6a26c85b83a4d5df71b408364329608690d72baf135fd41a3
                                                      • Opcode Fuzzy Hash: 5586e7caa1bd8b0b9f15b1a5a9c8c3e2f96db5f07e8704222eef7579d01698f3
                                                      • Instruction Fuzzy Hash: 78F065355093C18FCB23AB60C940C853FB2EF2725134681EBD494CF262E739C856D711
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08490AC3, Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee42379622ea3e4452c49a6a9cec15e9063b5d80a61df5d568fda6b5521b699b
                                                      • Instruction ID: 2c57c391c54b85177a340eb7f23328898022ecfbce73d7651ddd24dbc0769bd4
                                                      • Opcode Fuzzy Hash: ee42379622ea3e4452c49a6a9cec15e9063b5d80a61df5d568fda6b5521b699b
                                                      • Instruction Fuzzy Hash: 63F0A071D05B56EEDB70EBBC880029FBFF0BB50226F29496FD095D6246E77441418BC1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0553F3E0, Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.574318063.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9922b6f83a1d4abdfd623288b5cf5d6bb515cab09dbf5fb9506a491fda5372ac
                                                      • Instruction ID: 4dc6fa21512c3e31b1d33b2ca9874806631381cc083006b2d7323c2b648225c4
                                                      • Opcode Fuzzy Hash: 9922b6f83a1d4abdfd623288b5cf5d6bb515cab09dbf5fb9506a491fda5372ac
                                                      • Instruction Fuzzy Hash: 70E0C235900208EFCB55DFE4E905A9E7BB5FB48300F1086A9E81862250D7315A60EB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 08490AD0, Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.575505698.0000000008490000.00000040.00000001.sdmp, Offset: 08490000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b377a5eef0f327eeacd3614c794a09cb052fd70c063f52846b3c06d5accdb182
                                                      • Instruction ID: a27dc39d5f9cdf2b1009c433073cea86059b1d91ab6add4d26b35c66854edd6c
                                                      • Opcode Fuzzy Hash: b377a5eef0f327eeacd3614c794a09cb052fd70c063f52846b3c06d5accdb182
                                                      • Instruction Fuzzy Hash: 41D012B0C4030AEFDB50EFB9880175FBFF06B04204F10886BC055E2205E77442058F91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0553F430, Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000010.00000002.574318063.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 829d2f97e67bb81a7b44bfa77b849ee0c120df12c69355b4dd576855d4b59129
                                                      • Instruction ID: 96c926557a3f3beade511b27a734aeafbd4a074b666a1f81a59536f16b3b840e
                                                      • Opcode Fuzzy Hash: 829d2f97e67bb81a7b44bfa77b849ee0c120df12c69355b4dd576855d4b59129
                                                      • Instruction Fuzzy Hash: 4AC0023604020DBBDF025EC1ED05EDA3F2AFB08750F048401FA19041A1C7B39570ABA6
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Analysis Process: payment invoice.exe PID: 6504 Parent PID: 976 payment invoice.exeCOMMON

                                                      Executed Functions

                                                      Function 00F9B6C0, Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 00F9B730
                                                      • GetCurrentThread.KERNEL32 ref: 00F9B76D
                                                      • GetCurrentProcess.KERNEL32 ref: 00F9B7AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F9B803
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: ecde7089f3a2f9453f8b5bc23fa8fd99499794163e6e94909952bac0fb48bfcf
                                                      • Instruction ID: 7bed00aa8fd68f308e3fd579b98a6a8e5dc19dd95cbbc9f25f99437cec8beccd
                                                      • Opcode Fuzzy Hash: ecde7089f3a2f9453f8b5bc23fa8fd99499794163e6e94909952bac0fb48bfcf
                                                      • Instruction Fuzzy Hash: 095176B4900648CFDB10CFAAD9887EEBBF1EF88314F248559E019A7361D7749885CF62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F9B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 00F9B730
                                                      • GetCurrentThread.KERNEL32 ref: 00F9B76D
                                                      • GetCurrentProcess.KERNEL32 ref: 00F9B7AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 00F9B803
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 14a08bdd0f9d3452e0d8707ca73ee015c45a6647d33c1851891455b8b31a3817
                                                      • Instruction ID: c5aa5d379e1b9310fbfc736b146a28af82fb8552594b3149f5a8267f154bf8a4
                                                      • Opcode Fuzzy Hash: 14a08bdd0f9d3452e0d8707ca73ee015c45a6647d33c1851891455b8b31a3817
                                                      • Instruction Fuzzy Hash: 305166B4D00648CFDB14CFAADA88BDEBBF5AF88314F248559E019A7360C7749844DF66
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F9FAA0, Relevance: 1.7, APIs: 1, Instructions: 248COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F9FD0A
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 3027ea038d70852e14579812482433bbcd780a04f2eabfdbdba9380fccb7436a
                                                      • Instruction ID: b3b4d294857865a4568c9a6d0fd3e5aba9e7499fe61a74a7f5fef43883f86918
                                                      • Opcode Fuzzy Hash: 3027ea038d70852e14579812482433bbcd780a04f2eabfdbdba9380fccb7436a
                                                      • Instruction Fuzzy Hash: 76917E71C093889FDF02CFA5C895ADDBFB1EF0A310F1981AAE444AB262C7359849DF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F993E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00F9962E
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 6db69ce74c3df0e8b78c438466cce6098c41838af7c617075e2f0679ab07150e
                                                      • Instruction ID: b17c4fe2b6c4f0c73a13ef166387456fd411f376ef235a0464a94937de4ffe4f
                                                      • Opcode Fuzzy Hash: 6db69ce74c3df0e8b78c438466cce6098c41838af7c617075e2f0679ab07150e
                                                      • Instruction Fuzzy Hash: F0714470A04B058FEB24DF2AC44175AB7F1BF88314F118A2DE48AD7A50DB74E846DB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F9FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F9FD0A
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 230fa16617385cd5e4cd45d9a00e257815bfbadf773f94e136c7ed3a7bfcf0be
                                                      • Instruction ID: b09c8bc476d3a30bf97d94b77c5bf4051505e1a999bc83c1743c2e60b538ba2e
                                                      • Opcode Fuzzy Hash: 230fa16617385cd5e4cd45d9a00e257815bfbadf773f94e136c7ed3a7bfcf0be
                                                      • Instruction Fuzzy Hash: C441A3B1D00349DFDF14CF99C884ADEBBB5BF48314F24852AE819AB250D7759945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F9BCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9BD87
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: e6aa285d872dacca0fe62b3ad7b8cd6c0150416f2e857f5ecb4f864aadb1ab79
                                                      • Instruction ID: 82ecfce90c442816ef367db2a7fa86c6bacc5e7ab46944a1c340092a94b0331c
                                                      • Opcode Fuzzy Hash: e6aa285d872dacca0fe62b3ad7b8cd6c0150416f2e857f5ecb4f864aadb1ab79
                                                      • Instruction Fuzzy Hash: 912105B5D012489FDB10CFAAD484AEEBFF4EB48324F14841AE914A7310C374A954CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F9BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9BD87
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 909651eb353861fb0825cade5f7aebc4bb72bf0be3c7b01390edd5fd8477d87f
                                                      • Instruction ID: f40595ce4f50785c0f7317349b8e30a6982ee65ef01db8ce7cf8353cf493a646
                                                      • Opcode Fuzzy Hash: 909651eb353861fb0825cade5f7aebc4bb72bf0be3c7b01390edd5fd8477d87f
                                                      • Instruction Fuzzy Hash: FD21C4B5D002499FDB10DFAAD984ADEBBF8FB48324F14841AE914A7310D374A954DFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F99849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F996A9,00000800,00000000,00000000), ref: 00F998BA
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 8cc852266607c28dcb27ddfa5665c78526a3b56e3ec9c122c52f60418940b741
                                                      • Instruction ID: 5069d96b837327f75b8efc53f0c9955f59387f7d0350667d4875715a9cc54d59
                                                      • Opcode Fuzzy Hash: 8cc852266607c28dcb27ddfa5665c78526a3b56e3ec9c122c52f60418940b741
                                                      • Instruction Fuzzy Hash: 4C1114B6C042498FDB10CFAAC444ADEFBF4EB89324F55842EE519A7600C375A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F98768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F996A9,00000800,00000000,00000000), ref: 00F998BA
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 8c353a111a5d731a33a43a6da4404ca394e9967a6a883703499feadff5e61e4c
                                                      • Instruction ID: d5d77db7d45018f413e811e10d6a49aa48c7bf5aac8aeda2c0f359349392cdba
                                                      • Opcode Fuzzy Hash: 8c353a111a5d731a33a43a6da4404ca394e9967a6a883703499feadff5e61e4c
                                                      • Instruction Fuzzy Hash: 321133B6C042088FDB10CF9AC444BDEFBF4EB49324F15842EE519A7600C3B5A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F995C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00F9962E
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 8f103cc9e996134b993860e64334beaa40dad947da07070529da1250b1980357
                                                      • Instruction ID: c6a5cc421db1d19bf19d7cb10e245c7f8365f817610277d0cc7c516e92541031
                                                      • Opcode Fuzzy Hash: 8f103cc9e996134b993860e64334beaa40dad947da07070529da1250b1980357
                                                      • Instruction Fuzzy Hash: AB11E0B6C046498FDB20DF9AC444BDEFBF4AB88324F15845AD419A7600C3B4A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F9FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 00F9FE9D
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: ee6554952946dd72e3afaa352bee601920d9deb17912de4dd8b6b7f5ac3404b4
                                                      • Instruction ID: 4769288dc8c132b54c30abee1e4e418a740fe3c6c2ed55c4201300385bcee674
                                                      • Opcode Fuzzy Hash: ee6554952946dd72e3afaa352bee601920d9deb17912de4dd8b6b7f5ac3404b4
                                                      • Instruction Fuzzy Hash: 5F1133B5800248CFDB10DFAAC485BEEBBF8EB48324F14845AE954A7701C374A985CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00F9FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 00F9FE9D
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.584528625.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: 618b9b16079c62fb2edcd77b731b4012a2f10e91d54036ac517dfa927cdbe9bb
                                                      • Instruction ID: 60e36c8faf39678b217c3fb98df60853f5bca93748a5acf080b8a42ef28188c9
                                                      • Opcode Fuzzy Hash: 618b9b16079c62fb2edcd77b731b4012a2f10e91d54036ac517dfa927cdbe9bb
                                                      • Instruction Fuzzy Hash: 3F1112B5C002488FDB10DF9AD485BDEFBF8EB48324F20845AE919A7300C374A984CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00C9D01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.583760664.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c4a72366001855300f361b437f16516da0a482bef355c7ceb6e1c5b42d8f39fb
                                                      • Instruction ID: f8fa04e737a58fc292d98dae6f0991ca53dc528426cda7105675e639c99be276
                                                      • Opcode Fuzzy Hash: c4a72366001855300f361b437f16516da0a482bef355c7ceb6e1c5b42d8f39fb
                                                      • Instruction Fuzzy Hash: D22122B1504200DFCF14DF24D8C8B26BB65FB84318F20C5A9E90A5B246C73AD847CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00C9D005, Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.583760664.0000000000C9D000.00000040.00000001.sdmp, Offset: 00C9D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 92172ebf03a78cf592a9022956c2e9e7933e7e57385168dd95a476591ef77d12
                                                      • Instruction ID: 7e3eb198c86fe974420de927fbc65c50215b459b51434454218878f561531c47
                                                      • Opcode Fuzzy Hash: 92172ebf03a78cf592a9022956c2e9e7933e7e57385168dd95a476591ef77d12
                                                      • Instruction Fuzzy Hash: 09219F755093C08FCB02CF24D994B15BF71EB46314F28C5EAD8498F6A7C33A984ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions