Loading ...

Play interactive tourEdit tour

Windows Analysis Report R6093846s-Invoice-Receipt.exe

Overview

General Information

Sample Name:R6093846s-Invoice-Receipt.exe
Analysis ID:452642
MD5:cd0645cb78b55f0babbdbc4d51f23bd8
SHA1:f5221832b2b4b7338bc21e42f7e2c983d82dbdf4
SHA256:5b618273e08f4e9633ec359cff551345d0dabf0c64da9d3b5437d1c88c4bd226
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • R6093846s-Invoice-Receipt.exe (PID: 5520 cmdline: 'C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe' MD5: CD0645CB78B55F0BABBDBC4D51F23BD8)
    • schtasks.exe (PID: 5288 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UALCBPTejUQxQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCAD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6204 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 6232 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f8dffc54-5ec5-4013-9de8-d8d85368", "Group": "CODEDBASE", "Domain1": "omaprilcode.duckdns.org", "Domain2": "omaprilcode.duckdns.org", "Port": 8090, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.485019554.0000000006B10000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5b99:$x1: NanoCore.ClientPluginHost
  • 0x5bb3:$x2: IClientNetworkHost
00000014.00000002.485019554.0000000006B10000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5b99:$x2: NanoCore.ClientPluginHost
  • 0x6bce:$s4: PipeCreated
  • 0x5b86:$s5: IClientLoggingHost
00000014.00000002.484978078.0000000006AF0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x59eb:$x1: NanoCore.ClientPluginHost
  • 0x5b48:$x2: IClientNetworkHost
00000014.00000002.484978078.0000000006AF0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x59eb:$x2: NanoCore.ClientPluginHost
  • 0x6941:$s3: PipeExists
  • 0x5be1:$s4: PipeCreated
  • 0x5a05:$s5: IClientLoggingHost
00000014.00000002.483826250.0000000005440000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
Click to see the 45 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
20.2.RegSvcs.exe.6b30000.32.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x170b:$x1: NanoCore.ClientPluginHost
  • 0x1725:$x2: IClientNetworkHost
20.2.RegSvcs.exe.6b30000.32.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x170b:$x2: NanoCore.ClientPluginHost
  • 0x34b6:$s4: PipeCreated
  • 0x16f8:$s5: IClientLoggingHost
20.2.RegSvcs.exe.6190000.23.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x2dbb:$x1: NanoCore.ClientPluginHost
  • 0x2de5:$x2: IClientNetworkHost
20.2.RegSvcs.exe.6190000.23.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x2dbb:$x2: NanoCore.ClientPluginHost
  • 0x4c6b:$s4: PipeCreated
20.2.RegSvcs.exe.6a80000.24.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x6da5:$x1: NanoCore.ClientPluginHost
  • 0x6dd2:$x2: IClientNetworkHost
Click to see the 114 entries

Sigma Overview

AV Detection:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6232, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6232, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6232, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6232, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 00000014.00000002.479043770.0000000003891000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f8dffc54-5ec5-4013-9de8-d8d85368", "Group": "CODEDBASE", "Domain1": "omaprilcode.duckdns.org", "Domain2": "omaprilcode.duckdns.org", "Port": 8090, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for domain / URLShow sources
Source: omaprilcode.duckdns.orgVirustotal: Detection: 8%Perma Link
Source: omaprilcode.duckdns.orgVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\UALCBPTejUQxQ.exeReversingLabs: Detection: 32%
Multi AV Scanner detection for submitted fileShow sources
Source: R6093846s-Invoice-Receipt.exeReversingLabs: Detection: 32%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b90000.20.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448b680.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38dff64.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b90000.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432aae0.11.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38dff64.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38e458d.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b94629.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432f109.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38db12e.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448b680.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.4325caa.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.420b931.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448fca9.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448684a.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432aae0.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.422c192.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.4217b65.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000014.00000002.484104685.0000000005B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.479043770.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480703873.0000000004486000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.474458367.0000000002891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480187851.0000000004161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORY
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\UALCBPTejUQxQ.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: R6093846s-Invoice-Receipt.exeJoe Sandbox ML: detected
Source: 20.2.RegSvcs.exe.5b90000.20.unpackAvira: Label: TR/NanoCore.fadte
Source: 20.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: R6093846s-Invoice-Receipt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: R6093846s-Invoice-Receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000014.00000002.480187851.0000000004161000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Daan\source\repos\NanoExploit\ClientTest\obj\Debug\ClientTest.pdb source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Daan\source\repos\NanoExploit\ClientTest\obj\Debug\ClientTest.pdbS.m. _._CorDllMainmscoree.dll source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]20_2_06BA1D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]20_2_06BA1D72

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 185.244.26.194:8090
Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 185.244.26.194:8090
C2 URLs / IPs found in malware configurationShow sources
Source: Malware configuration extractorURLs: omaprilcode.duckdns.org
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: omaprilcode.duckdns.org
Source: global trafficTCP traffic: 192.168.2.3:49727 -> 185.244.26.194:8090
Source: Joe Sandbox ViewASN Name: VAMU-ASIP-TRANSITVAMURU VAMU-ASIP-TRANSITVAMURU
Source: unknownDNS traffic detected: queries for: omaprilcode.duckdns.org
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b90000.20.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448b680.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38dff64.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b90000.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432aae0.11.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38dff64.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38e458d.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b94629.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432f109.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38db12e.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448b680.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.4325caa.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.420b931.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448fca9.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448684a.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432aae0.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.422c192.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.4217b65.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000014.00000002.484104685.0000000005B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.479043770.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480703873.0000000004486000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.474458367.0000000002891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480187851.0000000004161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 20.2.RegSvcs.exe.6b30000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6190000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6a80000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6ac0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.4217b65.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.5b90000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6b10000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6b80000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.448b680.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6b44c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6b00000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.38dff64.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.28be17c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6ac0000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6b40000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6af0000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.5b90000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6b4e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.432aae0.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.2914cd4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.6a80000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.38dff64.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.38e458d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.5b94629.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.2914cd4.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6190000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6ad0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6b30000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6af0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6ae0000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6ab0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6ae0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.432f109.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.6b80000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.38db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.38db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.6b40000.34.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.448b680.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.5440000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.6b10000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.420b931.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.2920f1c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.2920f1c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.4325caa.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.2935558.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.420b931.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.448fca9.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.448684a.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.432aae0.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.422c192.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.RegSvcs.exe.422c192.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.RegSvcs.exe.4217b65.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.485019554.0000000006B10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.484978078.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.483826250.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.484104685.0000000005B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.485071825.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.484960992.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.479043770.0000000003891000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.484915497.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.484897789.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.485130700.0000000006B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.480703873.0000000004486000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.484998886.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.484851372.0000000006A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.485085026.0000000006B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.484936957.0000000006AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.480187851.0000000004161000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.484499149.0000000006190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: R6093846s-Invoice-Receipt.exe
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F22930_2_026F2293
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F04730_2_026F0473
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F10600_2_026F1060
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F30B80_2_026F30B8
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F18D90_2_026F18D9
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F58980_2_026F5898
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F4BA80_2_026F4BA8
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F4BB80_2_026F4BB8
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F52200_2_026F5220
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F52300_2_026F5230
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F321C0_2_026F321C
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F33290_2_026F3329
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F56C80_2_026F56C8
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F54380_2_026F5438
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_026F35720_2_026F3572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_061902B020_2_061902B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_0276E47120_2_0276E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_0276E48020_2_0276E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_0276BBD420_2_0276BBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA252820_2_06BA2528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BAA23820_2_06BAA238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BAAB0820_2_06BAAB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA004020_2_06BA0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA31F020_2_06BA31F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA9EF020_2_06BA9EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA32AE20_2_06BA32AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BAEA3820_2_06BAEA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA00FE20_2_06BA00FE
Source: R6093846s-Invoice-Receipt.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: UALCBPTejUQxQ.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.298299117.00000000027C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs R6093846s-Invoice-Receipt.exe
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.301265309.0000000002A2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs R6093846s-Invoice-Receipt.exe
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.307501982.0000000004C90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs R6093846s-Invoice-Receipt.exe
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.295355680.00000000003DB000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamey34nz.exe2 vs R6093846s-Invoice-Receipt.exe
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.309371083.0000000005E10000.00000002.00000001.sdmpBinary or memory string: originalfilename vs R6093846s-Invoice-Receipt.exe
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.309371083.0000000005E10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs R6093846s-Invoice-Receipt.exe
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.308198887.00000000052A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs R6093846s-Invoice-Receipt.exe
Source: R6093846s-Invoice-Receipt.exeBinary or memory string: OriginalFilenamey34nz.exe2 vs R6093846s-Invoice-Receipt.exe
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: R6093846s-Invoice-Receipt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 20.2.RegSvcs.exe.6b30000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b30000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6190000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6190000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6a80000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6a80000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6ac0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6ac0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.4217b65.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.4217b65.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.5b90000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.5b90000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6b10000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b10000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6b80000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b80000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.448b680.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.448b680.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6b44c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b44c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6b00000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b00000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.38dff64.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.38dff64.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.28be17c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.28be17c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6ac0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6ac0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6b40000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b40000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6af0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6af0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.5b90000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.5b90000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6b4e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b4e8a4.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.432aae0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.432aae0.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.2914cd4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.6a80000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6a80000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.38dff64.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.38dff64.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.38e458d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.38e458d.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.5b94629.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.5b94629.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.2914cd4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.2914cd4.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6190000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6190000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6ad0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6ad0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6b30000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b30000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6af0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6af0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6ae0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6ae0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6ab0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6ab0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6ae0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6ae0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.432f109.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.6b80000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b80000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.38db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.38db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.38db12e.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.6b40000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b40000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.448b680.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.5440000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.5440000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.6b10000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.6b10000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.420b931.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.420b931.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.2920f1c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.2920f1c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.RegSvcs.exe.2920f1c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.4325caa.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.2935558.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.420b931.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.448fca9.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.448684a.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.432aae0.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.422c192.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.RegSvcs.exe.422c192.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.RegSvcs.exe.4217b65.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.485019554.0000000006B10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.485019554.0000000006B10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.484978078.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.484978078.0000000006AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.483826250.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.483826250.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.484104685.0000000005B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.484104685.0000000005B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.485071825.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.485071825.0000000006B30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.484960992.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.484960992.0000000006AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.479043770.0000000003891000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.484915497.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.484915497.0000000006AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.484897789.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.484897789.0000000006AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.485130700.0000000006B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.485130700.0000000006B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.480703873.0000000004486000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.484998886.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.484998886.0000000006B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.484851372.0000000006A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.484851372.0000000006A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.485085026.0000000006B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.485085026.0000000006B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.484936957.0000000006AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.484936957.0000000006AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.480187851.0000000004161000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.484499149.0000000006190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.484499149.0000000006190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: R6093846s-Invoice-Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UALCBPTejUQxQ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 20.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 20.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@12/2
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeFile created: C:\Users\user\AppData\Roaming\UALCBPTejUQxQ.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f8dffc54-5ec5-4013-9de8-d8d853682f44}
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeMutant created: \Sessions\1\BaseNamedObjects\SjaOvCuaUGvC
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCCAD.tmpJump to behavior
Source: R6093846s-Invoice-Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: R6093846s-Invoice-Receipt.exeReversingLabs: Detection: 32%
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeFile read: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe 'C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe'
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UALCBPTejUQxQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCAD.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UALCBPTejUQxQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCAD.tmp'Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: R6093846s-Invoice-Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: R6093846s-Invoice-Receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000014.00000002.480187851.0000000004161000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Daan\source\repos\NanoExploit\ClientTest\obj\Debug\ClientTest.pdb source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Daan\source\repos\NanoExploit\ClientTest\obj\Debug\ClientTest.pdbS.m. _._CorDllMainmscoree.dll source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: R6093846s-Invoice-Receipt.exe, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: UALCBPTejUQxQ.exe.0.dr, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.R6093846s-Invoice-Receipt.exe.300000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.R6093846s-Invoice-Receipt.exe.300000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_0036A1F1 push 00000020h; iretd 0_2_0036A1F8
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeCode function: 0_2_0036B9CD pushfd ; iretd 0_2_0036B9CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA0EB0 push eax; retf 20_2_06BA0EB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA1F20 push es; ret 20_2_06BA1F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA1F00 push es; ret 20_2_06BA1F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA1F40 push es; ret 20_2_06BA1F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BAC421 push es; ret 20_2_06BAC430
Source: initial sampleStatic PE information: section name: .text entropy: 7.77156503233
Source: initial sampleStatic PE information: section name: .text entropy: 7.77156503233
Source: 20.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 20.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeFile created: C:\Users\user\AppData\Roaming\UALCBPTejUQxQ.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UALCBPTejUQxQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCAD.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3307Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6036Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 513Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 612Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe TID: 3512Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe TID: 6240Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: RegSvcs.exe, 00000014.00000002.485282482.0000000006EE0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: vmware
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000014.00000002.485282482.0000000006EE0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000014.00000002.485282482.0000000006EE0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000014.00000002.472769599.0000000000CAF000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000014.00000002.485282482.0000000006EE0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 719008Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UALCBPTejUQxQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCAD.tmp'Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
Source: RegSvcs.exe, 00000014.00000002.484719382.00000000067AC000.00000004.00000001.sdmpBinary or memory string: Program Manager(
Source: RegSvcs.exe, 00000014.00000002.478278857.0000000002E2A000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: RegSvcs.exe, 00000014.00000002.473700881.00000000012C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000014.00000002.484152384.0000000005CEC000.00000004.00000001.sdmpBinary or memory string: Program Manager|<
Source: RegSvcs.exe, 00000014.00000002.484659379.000000000656C000.00000004.00000001.sdmpBinary or memory string: Program Manager|\
Source: RegSvcs.exe, 00000014.00000002.472879368.0000000000DCE000.00000004.00000001.sdmpBinary or memory string: Program Manager"
Source: RegSvcs.exe, 00000014.00000002.473700881.00000000012C0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: RegSvcs.exe, 00000014.00000002.484443464.000000000604B000.00000004.00000001.sdmpBinary or memory string: Program Manager||
Source: RegSvcs.exe, 00000014.00000002.485937374.000000000883E000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
Source: RegSvcs.exe, 00000014.00000002.484770050.0000000006A6C000.00000004.00000001.sdmpBinary or memory string: Program Managerram ManagerP
Source: RegSvcs.exe, 00000014.00000002.474705319.0000000002A0C000.00000004.00000001.sdmpBinary or memory string: Program Manager|$
Source: RegSvcs.exe, 00000014.00000002.474705319.0000000002A0C000.00000004.00000001.sdmpBinary or memory string: Program Managerx
Source: RegSvcs.exe, 00000014.00000002.473700881.00000000012C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: RegSvcs.exe, 00000014.00000002.474528779.00000000028FD000.00000004.00000001.sdmpBinary or memory string: Program Managert
Source: RegSvcs.exe, 00000014.00000002.485957024.000000000897B000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: RegSvcs.exe, 00000014.00000002.485880655.00000000084BB000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager|
Source: RegSvcs.exe, 00000014.00000002.485893815.00000000085BE000.00000004.00000001.sdmpBinary or memory string: Program Manager|
Source: RegSvcs.exe, 00000014.00000002.473597627.0000000000F2E000.00000004.00000001.sdmpBinary or memory string: Program Manager x
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 20_2_06BA11A0 GetSystemTimes,20_2_06BA11A0
Source: C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b90000.20.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448b680.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38dff64.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b90000.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432aae0.11.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38dff64.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38e458d.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b94629.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432f109.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38db12e.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448b680.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.4325caa.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.420b931.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448fca9.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448684a.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432aae0.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.422c192.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.4217b65.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000014.00000002.484104685.0000000005B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.479043770.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480703873.0000000004486000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.474458367.0000000002891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480187851.0000000004161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: R6093846s-Invoice-Receipt.exe, 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exeString found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: RegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmpString found in binary or memory: <Module>System.IOvalue__mscorlibConnectionStateChangedConnectionFailedPipeClosedPipeCreatedconnected<DataHost>k__BackingField<LoggingHost>k__BackingField<NetworkHost>k__BackingFieldBuildingHostCacheDownloadFileset_WindowStyleProcessWindowStyleset_FileNameGetFileNamepipeNameCreatePipeCommandTypeDebuggerBrowsableStateCompilerGeneratedAttributeGuidAttributeDebuggableAttributeDebuggerBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeDownloadExecutevalueStringPathIClientNetworkDownloadExecuteInternalClientTest.dllSystemEnumNanoCore.ClientPluginSystem.ReflectionExceptionFileInfoFileSystemInfoProcessStartInfo.ctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesDebuggingModesGetVariablesget_Attributesset_AttributesFileAttributesGetBuilderSettingsGetServerSettingsparamsGetConnectionsProcessInfectClientsObjectSystem.NetReadPacketWebClientStartportServerTestClientTestget_DataHostset_DataHostIClientDataHost_dataHostget_LoggingHostset_LoggingHostIClientLoggingHost_loggingHostget_NetworkHostset_NetworkHostIClientNetworkHost_networkHostNanoCore.ClientPluginHosthostset_CreateNoWindow?
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b90000.20.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448b680.14.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38dff64.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b90000.20.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432aae0.11.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.R6093846s-Invoice-Receipt.exe.385f080.2.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38dff64.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38e458d.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.5b94629.21.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432f109.13.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.38db12e.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448b680.14.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.4325caa.12.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.420b931.10.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448fca9.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.448684a.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.432aae0.11.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.422c192.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 20.2.RegSvcs.exe.4217b65.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000014.00000002.484104685.0000000005B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.479043770.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480703873.0000000004486000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.474458367.0000000002891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.480187851.0000000004161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORY

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection212Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery211SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion21DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
R6093846s-Invoice-Receipt.exe33%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
R6093846s-Invoice-Receipt.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\UALCBPTejUQxQ.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\UALCBPTejUQxQ.exe33%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
20.2.RegSvcs.exe.5b90000.20.unpack100%AviraTR/NanoCore.fadteDownload File
20.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

Domains

SourceDetectionScannerLabelLink
omaprilcode.duckdns.org9%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
omaprilcode.duckdns.org9%VirustotalBrowse
omaprilcode.duckdns.org0%Avira URL Cloudsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
omaprilcode.duckdns.org
185.244.26.194
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
omaprilcode.duckdns.orgtrue
  • 9%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
    high
    http://www.fontbureau.comR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
      high
      http://www.fontbureau.com/designersGR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
        high
        http://www.fontbureau.com/designers/?R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
          high
          http://www.founder.com.cn/cn/bTheR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.fontbureau.com/designers?R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
            high
            http://www.tiro.comR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.fontbureau.com/designersR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
              high
              http://www.goodfont.co.krR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://google.comRegSvcs.exe, 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmpfalse
                high
                http://www.carterandcone.comlR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.sajatypeworks.comR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.typography.netDR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designers/cabarga.htmlNR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/cTheR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.galapagosdesign.com/staff/dennis.htmR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://fontfabrik.comR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.founder.com.cn/cnR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers/frere-jones.htmlR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                    high
                    http://www.jiyu-kobo.co.jp/R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.galapagosdesign.com/DPleaseR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers8R6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                      high
                      http://www.fonts.comR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                        high
                        http://www.sandoll.co.krR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.urwpp.deDPleaseR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.zhongyicts.com.cnR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameR6093846s-Invoice-Receipt.exe, 00000000.00000002.297808598.0000000002751000.00000004.00000001.sdmpfalse
                          high
                          http://www.sakkal.comR6093846s-Invoice-Receipt.exe, 00000000.00000002.318334259.000000000BCB2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          185.244.26.194
                          omaprilcode.duckdns.orgNetherlands
                          47158VAMU-ASIP-TRANSITVAMURUtrue

                          Private

                          IP
                          192.168.2.1

                          General Information

                          Joe Sandbox Version:33.0.0 White Diamond
                          Analysis ID:452642
                          Start date:22.07.2021
                          Start time:17:14:21
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 10m 24s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:R6093846s-Invoice-Receipt.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:31
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@8/8@12/2
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 1.7% (good quality ratio 1.2%)
                          • Quality average: 49.6%
                          • Quality standard deviation: 36.4%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 57
                          • Number of non-executed functions: 9
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.211.6.115, 20.82.209.104, 23.211.4.86, 52.147.198.201, 40.88.32.150, 20.54.110.249, 173.222.108.210, 173.222.108.226, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.210.154
                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          17:15:49API Interceptor1x Sleep call for process: R6093846s-Invoice-Receipt.exe modified
                          17:15:55API Interceptor656x Sleep call for process: RegSvcs.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          185.244.26.194DHL STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            omaprilcode.duckdns.orgANNA-INVOICE-4725434.EXEGet hashmaliciousBrowse
                            • 79.134.225.6
                            Victoria-Invoice-62541323.exeGet hashmaliciousBrowse
                            • 79.134.225.6
                            Aurora-Invoice-9383736.exeGet hashmaliciousBrowse
                            • 79.134.225.6
                            Madison-Invoice-6220917.exeGet hashmaliciousBrowse
                            • 79.134.225.6
                            4N92zkeMjL.exeGet hashmaliciousBrowse
                            • 185.244.26.199
                            V31802166Invoice.exeGet hashmaliciousBrowse
                            • 185.244.26.199
                            CgzObSR6MI.exeGet hashmaliciousBrowse
                            • 79.134.225.9
                            dautkyNrlD.exeGet hashmaliciousBrowse
                            • 79.134.225.9
                            H538065217Invoice.exeGet hashmaliciousBrowse
                            • 79.134.225.9
                            v4nJnRl1gt.exeGet hashmaliciousBrowse
                            • 79.134.225.9
                            524241363INV0ICE.exeGet hashmaliciousBrowse
                            • 194.5.97.75
                            y3t4g48gj6_PAYMENT.exeGet hashmaliciousBrowse
                            • 194.5.97.75
                            y3t4g48gj6_PAYMENT.exeGet hashmaliciousBrowse
                            • 194.5.97.75
                            IPUt7Nr2CH.exeGet hashmaliciousBrowse
                            • 194.5.97.75
                            q19CDiK5TD.exeGet hashmaliciousBrowse
                            • 194.5.97.75

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            VAMU-ASIP-TRANSITVAMURUSwift_Fattura_0093320128_.exeGet hashmaliciousBrowse
                            • 185.244.26.218
                            cargo detail.vbsGet hashmaliciousBrowse
                            • 185.244.26.213
                            MFN0QBsVmm.exeGet hashmaliciousBrowse
                            • 185.244.26.199
                            Purchase#Order20880.pdf.exeGet hashmaliciousBrowse
                            • 185.244.26.198
                            Beatrice-Invoice-94873.exeGet hashmaliciousBrowse
                            • 185.244.26.199
                            EVOREC - PO FH87565635456,pdf.exeGet hashmaliciousBrowse
                            • 185.244.26.196
                            Pay014_Screenshot.exeGet hashmaliciousBrowse
                            • 185.244.26.199
                            OIT-999-0021-21-00.vbsGet hashmaliciousBrowse
                            • 185.244.26.213
                            4N92zkeMjL.exeGet hashmaliciousBrowse
                            • 185.244.26.199
                            V31802166Invoice.exeGet hashmaliciousBrowse
                            • 185.244.26.199
                            jq9H4Yk8Uy.exeGet hashmaliciousBrowse
                            • 185.244.26.233
                            Agency instructions.exeGet hashmaliciousBrowse
                            • 185.244.26.244
                            ACS Leasing ACMI Details.vbsGet hashmaliciousBrowse
                            • 185.244.26.187
                            TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                            • 185.244.26.237
                            FIR.SCR.exeGet hashmaliciousBrowse
                            • 185.244.26.199
                            Payment_Advice_Summary_06102021.vbsGet hashmaliciousBrowse
                            • 185.244.26.242
                            fac.jarGet hashmaliciousBrowse
                            • 185.244.26.223
                            PaymentDetails.exeGet hashmaliciousBrowse
                            • 185.244.26.234
                            fature.jarGet hashmaliciousBrowse
                            • 185.244.26.223
                            May 31st, ROSI-AOP Incident Report Details.vbsGet hashmaliciousBrowse
                            • 185.244.26.202

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\R6093846s-Invoice-Receipt.exe.log
                            Process:C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.355304211458859
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                            C:\Users\user\AppData\Local\Temp\tmpCCAD.tmp
                            Process:C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1646
                            Entropy (8bit):5.201350821712482
                            Encrypted:false
                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGmOtn:cbh47TlNQ//rydbz9I3YODOLNdq38J
                            MD5:10825A068F66AFA5B707A7B3CDAB7FFF
                            SHA1:2DD947530450B2144FA27C0947F8A3CC1088E075
                            SHA-256:AF1419ABF53B8CC7904C4909ACB750191BC45C248C266D22EB3C542F3D8B9C5B
                            SHA-512:652A2A58803070C30F2F88610889858EC1ECF50099CF627345A97AB80AB66004F08D9B5B5F3AEF62954997332F793E4043C33E260B50F74B808D5C91BC03D44C
                            Malicious:true
                            Reputation:low
                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1624
                            Entropy (8bit):7.109925499344649
                            Encrypted:false
                            SSDEEP:48:IkXEUg6ikXEUg6ikXEUg6ikXEUg6ikXEUg6ikXEUg6ikXEUg6Z:06y6y6y6y6y6y6Z
                            MD5:DF9DF69B9BDF9E9F14ACBA7F6AAA0439
                            SHA1:F69C499EA98CB3B3FC303A8C19017F150D2FDAA1
                            SHA-256:172CAF6D0566CCDAD43210FC178D55B2D12F18070F4978B27AFBE2EECB904239
                            SHA-512:CBC09050EECA7053F9EE7E1E744155F2E3A7A9571C06C773B1BD7FFCCC0D2572957EDB57BBC7AD2E37C180D9CB34E306EF32CE417530386FBCC5921600E7F3C0
                            Malicious:false
                            Reputation:low
                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....`*kZ..JR<..e.8....z...O......f..m.PQ>Y...}.....K.,Kl..G.....qA..#.w.&..7m..B.I.....in..<5J....z).H?....6..*2Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....`*kZ..JR<..e.8....z...O......f..m.PQ>Y...}.....K.,Kl..G.....qA..#.w.&..7m..B.I.....in..<5J....z).H?....6..*2Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....`*kZ..JR<..e.8....z...O......f..m.PQ>Y...}.....K.,Kl..G.....qA..#.w.&..7m..B.I.....in..<5J....z).H?....6..*2Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....`*kZ..JR<..e.8....z...O......f..m.PQ>Y...}.....K.,Kl..G.....qA..#.w.&..7m..B.I.....in..<5J....z).H?....6..*2Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            File Type:ISO-8859 text, with no line terminators
                            Category:dropped
                            Size (bytes):8
                            Entropy (8bit):3.0
                            Encrypted:false
                            SSDEEP:3:Pno8:vo8
                            MD5:87A19E60362ADB0A4C4DEDA315D07F62
                            SHA1:6340BAD06709D73A2D2946AC49CB5FC77B1E4DA7
                            SHA-256:548F2F89D08DD063284AA4FEA0BE342B4BF8C1516613EA3DC945C294DE8816D8
                            SHA-512:F2EF91AEEC6851000DB7A05D7B678BE6C5A15712D0684165D2665A135F3D4FCAF348934946F1F1766F5DA14E4613AA115D713685B243E12C30B125FCE47462F6
                            Malicious:true
                            Reputation:low
                            Preview: ?!..oM.H
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):24
                            Entropy (8bit):4.501629167387823
                            Encrypted:false
                            SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                            MD5:ACD3FB4310417DC77FE06F15B0E353E6
                            SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                            SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                            SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                            Malicious:false
                            Preview: 9iH...}Z.4..f..J".C;"a
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):5.320159765557392
                            Encrypted:false
                            SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                            MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                            SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                            SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                            SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                            Malicious:false
                            Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):317088
                            Entropy (8bit):7.999536411743182
                            Encrypted:true
                            SSDEEP:6144:cSSJh0WiGAFfbnrQk7EJa7yflloAWFNriVBkZCCsF:QhgZJ7yfToAyiz3F
                            MD5:6AB7A5BD77B3380B3DAC6164123D58C8
                            SHA1:1732E82902857F97E49541719EA46CFB88FCA68B
                            SHA-256:B89A2604B568E5D5435CE1885752739E481E83C08063DEA8FBC5CF271C0BA6D7
                            SHA-512:DDCF3CBD63D43A0E4115E77DA62D6E94199EBB1CE836A69ADBC1CA3DB6AB0D3CDFC7EC1BD495AB93286CC52223F371ED60D36BC25547E79901CD8751B10D97CC
                            Malicious:false
                            Preview: z.L*Y9.7.X..~Y...q..0y....5.1e+6..d;..........i......pk...&u..x.W1_.B.....ZP.............n...@u.uC8.o...ZX:K.C..E.S..pm.a....$..........0=H...@....n..AFi..F...H\..d..,..R@....c.{.$.@....:..>.}W..IN......PN(.._.\..~.Z........N..8:i.9.7.`.s.<.IX."?....{Mi..o.....M*...#]...!L .Ua_.7..D.XB.a;MP......a..?.RQ..ni..i..z...h..R.VW^7^.i.......T/..eh.......?.j.....H..~...X.I%..8..tP...(.t>H+.s.t.w..(. ..v..!.q1+C.Z.z.vgx.'4..C..!.x.Ez.-..FR.........E..A$L.....=.Q[..)_.5c..E.~s#.{........."...a:...&:.Ye......xu.V..v%;...FT0*..0.e...n.ss.. .,....%....0...iI.."......ira8..../.Wi.+[\....1.8......t(.\,.$b.*z...,_..;.....M/=...}.?......%....C<v+o...W.v..Q..H.zh).@n]....!uBY.<y9......]..fX..:(?.3..0....$.< "-.....f.m.j.+#.d7Xf.y.-C.......94}..a..S>....~)..%...?.......Wl.'.hNf..UW.H.Qu.{Ns.-.....m".I.....aB4.%"......>.e.d.7...b'.I........_{..9....'.!s..P.g].e.lL).0~.V..!..\y.'..hp.u6....n.*.w.}.........P0......3%..*=X]...`j...1.{<....NM.}t.."...'..`.U.{.
                            C:\Users\user\AppData\Roaming\UALCBPTejUQxQ.exe
                            Process:C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):896000
                            Entropy (8bit):7.28733637902053
                            Encrypted:false
                            SSDEEP:12288:uhdsjoEa0P0ug8+KpRJIwOauaExsH+XViPUN9AuTcxNzVD7+xQipP5r:2dsjT/zga3Ju7a+S+XViPUNiuY7Ripp
                            MD5:CD0645CB78B55F0BABBDBC4D51F23BD8
                            SHA1:F5221832B2B4B7338BC21E42F7E2C983D82DBDF4
                            SHA-256:5B618273E08F4E9633EC359CFF551345D0DABF0C64DA9D3B5437D1C88C4BD226
                            SHA-512:C2B8D05C73AB852FD4C425076E26F6D00F0A192D722B526809C6EFC5DF4623B445B5784D1C9E94DBE5EA84D7B5777451842EB898E5470422AA5AB362A369710D
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 33%
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.`..............0.............N.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........G..t...........................................................O .....W .3z...J...<hC.~...........H.`..z...,......$.q.L.$..T..S...wsQ.IN[..jx....^3.w.......w.kB+.r....6-...(...Qp;.<f....&.S.U.a2...*f..f...............,..f="....|..V...L..v9....O.grP.A..5...a........J.h..T..+..#._..u...u .{.$..Y.....'.B..6,.c....s.......E8..w..3. .1..D.oU3=.j...._.-&.7-..l..........H..7)..kL....G....V.........0.u.....V.^.Rk.....|.:..+...b^.k..+.]..../..q....

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.28733637902053
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:R6093846s-Invoice-Receipt.exe
                            File size:896000
                            MD5:cd0645cb78b55f0babbdbc4d51f23bd8
                            SHA1:f5221832b2b4b7338bc21e42f7e2c983d82dbdf4
                            SHA256:5b618273e08f4e9633ec359cff551345d0dabf0c64da9d3b5437d1c88c4bd226
                            SHA512:c2b8d05c73ab852fd4c425076e26f6d00f0a192d722b526809c6efc5df4623b445b5784d1c9e94dbe5ea84d7b5777451842eb898e5470422aa5ab362a369710d
                            SSDEEP:12288:uhdsjoEa0P0ug8+KpRJIwOauaExsH+XViPUN9AuTcxNzVD7+xQipP5r:2dsjT/zga3Ju7a+S+XViPUNiuY7Ripp
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.`..............0.............N.... ........@.. ....................................@................................

                            File Icon

                            Icon Hash:1a72e2e4747a6662

                            Static PE Info

                            General

                            Entrypoint:0x48f84e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x60F96389 [Thu Jul 22 12:24:41 2021 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v4.0.30319
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8f7fc0x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x900000x4cca8.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x8d8540x8da00False0.869911187114data7.77156503233IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rsrc0x900000x4cca80x4ce00False0.181107088415data5.87991492368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xde0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x902500x468GLS_BINARY_LSB_FIRST
                            RT_ICON0x906b80x988data
                            RT_ICON0x910400x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 54805568, next used block 54805568
                            RT_ICON0x920e80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 54805568, next used block 21251136
                            RT_ICON0x946900x3511PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                            RT_ICON0x97ba40x44028data
                            RT_GROUP_ICON0xdbbcc0x4cdata
                            RT_GROUP_ICON0xdbc180x5adata
                            RT_VERSION0xdbc740x30cdata
                            RT_MANIFEST0xdbf800xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Version Infos

                            DescriptionData
                            Translation0x0000 0x04b0
                            LegalCopyrightCopyright 2016
                            Assembly Version1.0.0.0
                            InternalNamey34nz.exe
                            FileVersion1.0.0.0
                            CompanyName
                            LegalTrademarks
                            Comments
                            ProductNameuNotepad
                            ProductVersion1.0.0.0
                            FileDescriptionuNotepad
                            OriginalFilenamey34nz.exe

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            07/22/21-17:15:57.652962TCP2025019ET TROJAN Possible NanoCore C2 60B497278090192.168.2.3185.244.26.194
                            07/22/21-17:16:07.297979TCP2025019ET TROJAN Possible NanoCore C2 60B497378090192.168.2.3185.244.26.194
                            07/22/21-17:16:13.534653TCP2025019ET TROJAN Possible NanoCore C2 60B497408090192.168.2.3185.244.26.194
                            07/22/21-17:16:22.015102TCP2025019ET TROJAN Possible NanoCore C2 60B497468090192.168.2.3185.244.26.194
                            07/22/21-17:16:29.006113TCP2025019ET TROJAN Possible NanoCore C2 60B497478090192.168.2.3185.244.26.194
                            07/22/21-17:16:35.941770TCP2025019ET TROJAN Possible NanoCore C2 60B497488090192.168.2.3185.244.26.194
                            07/22/21-17:16:43.040140TCP2025019ET TROJAN Possible NanoCore C2 60B497498090192.168.2.3185.244.26.194
                            07/22/21-17:16:50.097122TCP2025019ET TROJAN Possible NanoCore C2 60B497528090192.168.2.3185.244.26.194
                            07/22/21-17:16:57.147005TCP2025019ET TROJAN Possible NanoCore C2 60B497538090192.168.2.3185.244.26.194
                            07/22/21-17:17:04.420377TCP2025019ET TROJAN Possible NanoCore C2 60B497548090192.168.2.3185.244.26.194
                            07/22/21-17:17:11.448870TCP2025019ET TROJAN Possible NanoCore C2 60B497558090192.168.2.3185.244.26.194
                            07/22/21-17:17:18.070997TCP2025019ET TROJAN Possible NanoCore C2 60B497568090192.168.2.3185.244.26.194

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 22, 2021 17:15:57.327195883 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:57.531862974 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:57.534015894 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:57.652961969 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:57.885468006 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:57.885555029 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:58.133164883 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:58.133285999 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:58.493752956 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:58.574599981 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:58.819876909 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:58.822911978 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:58.871458054 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:58.871619940 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:58.871722937 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:58.871735096 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:58.871862888 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:58.871978045 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:58.874828100 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:58.875153065 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.066279888 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.066489935 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.066639900 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.066744089 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.066837072 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.067109108 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.069801092 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.069830894 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.069881916 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.069951057 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.069978952 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.071012020 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.261334896 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.261678934 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.261759996 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.261779070 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.261985064 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.262074947 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.262084007 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.262115955 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.262182951 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.262252092 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.262574911 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.262644053 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.265378952 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.265439034 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.265501976 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.265952110 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.267570972 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.267647028 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.267698050 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.267712116 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.267756939 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.267791033 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.267795086 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.267874002 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.636511087 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636549950 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636586905 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636636019 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636679888 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636717081 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636756897 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636797905 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636868000 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636905909 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.636908054 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636941910 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.636945963 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.636950970 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.636959076 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.636993885 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637037039 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637074947 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637088060 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.637115955 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637129068 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.637156010 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637192965 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637231112 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637268066 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637295961 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.637314081 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637326002 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.637361050 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637391090 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637422085 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637454033 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637473106 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.637487888 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.637495041 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637523890 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.637532949 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637583017 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637624979 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637650013 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.637665033 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637696028 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637727022 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637756109 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.637798071 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.637818098 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.637824059 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.816118002 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.835340977 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.835375071 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.835398912 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.835433006 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.835455894 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.835526943 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.835589886 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.835683107 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.835802078 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.835859060 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.835902929 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.836004972 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.836009026 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.836059093 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.836071968 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.836236954 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.836263895 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.836286068 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.836302996 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.836561918 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.836618900 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.836622953 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.836695910 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.836829901 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.836879015 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.836940050 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.837081909 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.837133884 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.837143898 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.837380886 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.837408066 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.837455988 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.837466002 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.837547064 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.837646008 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.837685108 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.837702036 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.837723970 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.838133097 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.838184118 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.838192940 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.838198900 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.838227987 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.838269949 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.838274002 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.838294983 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.838411093 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.838432074 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.838450909 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.838574886 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.838615894 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.838829041 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.838900089 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.839196920 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.839301109 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.839704037 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.839723110 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.839737892 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.839776993 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.839788914 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.839806080 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.840008020 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.840127945 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.840145111 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.840162039 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.840198040 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.840214014 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.840405941 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.840471983 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.840533972 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.840583086 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.840943098 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.841006041 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.841010094 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.841212988 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.841263056 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.841274977 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.841330051 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.841491938 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.841734886 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.841790915 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.841809034 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.841928959 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.841996908 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.842044115 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.842056990 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.842253923 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.842706919 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.842776060 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.842797041 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.842869043 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.843012094 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.843058109 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.843067884 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.843096972 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.843240023 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.843295097 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.843307018 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:15:59.844078064 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:15:59.844165087 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.037393093 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.037957907 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.038034916 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.046128988 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.046158075 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.046233892 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.046350956 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.046441078 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.046528101 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.046547890 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.046675920 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.046720028 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.046787024 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.046904087 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.046972036 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.046996117 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.047034025 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.047139883 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.047146082 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.047240973 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.047319889 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.047333002 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.047391891 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.047530890 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.047549963 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.047787905 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.047898054 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.047945023 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.048080921 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.048154116 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.048384905 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.048693895 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.048759937 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.048952103 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.049199104 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.049279928 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.049576998 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.049802065 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.049907923 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.050091982 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.050391912 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.050582886 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.051232100 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.051265001 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.051275969 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.051426888 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.051457882 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.051553011 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.051733971 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.052062988 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.052136898 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.052339077 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.055013895 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.055080891 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.055576086 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.055699110 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.055789948 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.055821896 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.063888073 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.063961983 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.064604044 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.064625025 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.064707041 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.064914942 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.065191031 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.065377951 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.065493107 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.066071033 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.066212893 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.066375017 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.066565990 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.066627026 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.066931009 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.067462921 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.067647934 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.232561111 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.232594967 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.233503103 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.241167068 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.241206884 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.241422892 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.242692947 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.243002892 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.243027925 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.243161917 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.243243933 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.243313074 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.243426085 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.243765116 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.243917942 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.244081974 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.244117022 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.244184971 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.244237900 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.244492054 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.244539976 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.244643927 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.244796038 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.244889975 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.245052099 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.245076895 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.246028900 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.246057987 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.246078014 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.246115923 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.246134996 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.246148109 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.246227980 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.246539116 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.246705055 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.246794939 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.246910095 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.248152018 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.248300076 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.248358011 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.248461008 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.248466015 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.248471975 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.248553991 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.248671055 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.248744011 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.248795986 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.248821974 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.248877048 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.249208927 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.249506950 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.249618053 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.249629021 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.249703884 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.250050068 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.250243902 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.251526117 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.258687019 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.258780003 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.258822918 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.258996964 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.259418011 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.259566069 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.259768009 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.259912014 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.260581970 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.260613918 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.260636091 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.260715008 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.260741949 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.260799885 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.260863066 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.261065006 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.261832952 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.261975050 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.262691021 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.432950020 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.432988882 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.434911013 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.436222076 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.437217951 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.439178944 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.439757109 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.440036058 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.440053940 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.440736055 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.441837072 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.442131996 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.442665100 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.442848921 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.442874908 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.444489002 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.444875002 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.445328951 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.445979118 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.446127892 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.446170092 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.446504116 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.446687937 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.446901083 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.447069883 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.447379112 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.447576046 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.447659969 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.447797060 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.447895050 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.448256969 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.449625969 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.449736118 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.450218916 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.450298071 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.450321913 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.453346968 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.453371048 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.453602076 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.453634977 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.453795910 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.453896046 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.453969002 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.454057932 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.454124928 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.454143047 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.454169035 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.454339981 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.454356909 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.454399109 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.454432011 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.455931902 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.455960035 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.456020117 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.456073999 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.456595898 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.458409071 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.458432913 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.458445072 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.458457947 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.458579063 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.458602905 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.460129023 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.460228920 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.460306883 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.460378885 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.460381985 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.460467100 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.460539103 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.460565090 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.460578918 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.460658073 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.460824013 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.463113070 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.625880003 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.634366989 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.634402037 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.634426117 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.634489059 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.634501934 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.634512901 CEST809049727185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:00.634639978 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:00.690983057 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:01.013174057 CEST497278090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:07.098870993 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:07.294732094 CEST809049737185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:07.297488928 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:07.297979116 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:07.546217918 CEST809049737185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:07.578150988 CEST809049737185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:07.578429937 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:07.784414053 CEST809049737185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:07.786207914 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:08.046629906 CEST809049737185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:08.160667896 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:08.370476007 CEST809049737185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:08.409976959 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:08.576570988 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:08.605046034 CEST809049737185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:08.660058022 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:08.837804079 CEST809049737185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:08.839741945 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:09.038007021 CEST809049737185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:09.045088053 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:09.197379112 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:09.241847992 CEST809049737185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:09.243870974 CEST497378090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:13.329492092 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:13.529822111 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:13.529930115 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:13.534652948 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:13.757972002 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:13.762200117 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:13.961921930 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:13.963521004 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:14.215254068 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:14.215539932 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:14.465152025 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:14.482687950 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:14.484021902 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:14.683393002 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:14.685431004 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:14.885660887 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:14.885826111 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:15.087313890 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:15.129386902 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:15.130984068 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:15.386934042 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:15.389134884 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:15.639318943 CEST809049740185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:16.192431927 CEST497408090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:21.816994905 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:22.014323950 CEST809049746185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:22.014447927 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:22.015101910 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:22.251610994 CEST809049746185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:22.251868963 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:22.450946093 CEST809049746185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:22.454693079 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:22.696218014 CEST809049746185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:22.696392059 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:22.947801113 CEST809049746185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:23.015707016 CEST809049746185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:23.017837048 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:23.215132952 CEST809049746185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:23.217185020 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:23.417732000 CEST809049746185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:23.417994976 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:23.614372969 CEST809049746185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:23.614562988 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:23.866729021 CEST809049746185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:24.568440914 CEST497468090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:28.805485010 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:29.004956007 CEST809049747185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:29.005384922 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:29.006113052 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:29.228846073 CEST809049747185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:29.229289055 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:29.433233976 CEST809049747185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:29.435000896 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:29.686201096 CEST809049747185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:29.686384916 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:29.938261032 CEST809049747185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:29.971098900 CEST809049747185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:29.978298903 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:30.178883076 CEST809049747185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:30.181747913 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:30.381490946 CEST809049747185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:30.381567955 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:30.581331015 CEST809049747185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:30.584580898 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:30.839611053 CEST809049747185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:31.584570885 CEST497478090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:35.705344915 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:35.900621891 CEST809049748185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:35.900736094 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:35.941770077 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:36.155797958 CEST809049748185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:36.156100988 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:36.351686001 CEST809049748185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:36.355089903 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:36.608391047 CEST809049748185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:36.633354902 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:36.872278929 CEST809049748185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:36.922837019 CEST809049748185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:36.924063921 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:37.118813038 CEST809049748185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:37.120692968 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:37.322804928 CEST809049748185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:37.323067904 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:37.518511057 CEST809049748185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:37.568654060 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:37.632915974 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:37.890085936 CEST809049748185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:38.647418022 CEST497488090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:42.839658976 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:43.038578987 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:43.039197922 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:43.040139914 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:43.260453939 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:43.261157036 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:43.463264942 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:43.465903997 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:43.718274117 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:43.726047039 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:43.979290009 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:44.129492998 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:44.130315065 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:44.332463026 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:44.338987112 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:44.725474119 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:44.753040075 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:44.753118992 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:44.781558037 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:44.781661987 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:44.954097033 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:44.981913090 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:44.982172012 CEST809049749185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:45.022356987 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:45.741751909 CEST497498090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:49.891509056 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:50.093225956 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:50.097095013 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:50.097121954 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:50.306668997 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:50.306945086 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:50.502427101 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:50.504007101 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:50.764270067 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:50.773802042 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:50.956748962 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:50.968868971 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:50.968991041 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:51.218816996 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:51.218934059 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:51.295232058 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:51.351047039 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:51.468700886 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:51.548681974 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:51.601078033 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:51.847492933 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:52.092405081 CEST809049752185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:52.836714029 CEST497528090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:56.945089102 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:57.145997047 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:57.146116972 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:57.147005081 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:57.397383928 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:57.407948017 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:57.408482075 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:57.615057945 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:57.653239965 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:57.905627966 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:57.905812025 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:58.157536983 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:58.319185019 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:58.321476936 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:58.521045923 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:58.523138046 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:58.722798109 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:58.723089933 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:58.923949003 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:58.924211025 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:16:59.186036110 CEST809049753185.244.26.194192.168.2.3
                            Jul 22, 2021 17:16:59.821836948 CEST497538090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:04.222434044 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:04.419219017 CEST809049754185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:04.419473886 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:04.420377016 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:04.644715071 CEST809049754185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:04.645344973 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:04.839582920 CEST809049754185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:04.840970993 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:05.096126080 CEST809049754185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:05.096268892 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:05.346054077 CEST809049754185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:05.946746111 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:06.044655085 CEST809049754185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:06.086618900 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:06.143140078 CEST809049754185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:06.143266916 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:06.385843039 CEST809049754185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:06.386631012 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:06.588037968 CEST809049754185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:06.634979010 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:06.831196070 CEST809049754185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:06.884680986 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:06.964135885 CEST497548090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:11.236845016 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:11.437673092 CEST809049755185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:11.437815905 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:11.448869944 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:11.678329945 CEST809049755185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:11.678798914 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:11.878145933 CEST809049755185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:11.878304005 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:12.123133898 CEST809049755185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:12.123394012 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:12.374542952 CEST809049755185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:12.684187889 CEST809049755185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:12.686335087 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:12.886063099 CEST809049755185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:12.886157990 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:13.140132904 CEST809049755185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:13.140254021 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:13.339557886 CEST809049755185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:13.384078026 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:13.593806028 CEST809049755185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:13.649758101 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:13.793334961 CEST497558090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:17.871226072 CEST497568090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:18.070386887 CEST809049756185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:18.070966959 CEST497568090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:18.070997000 CEST497568090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:18.321170092 CEST809049756185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:18.321487904 CEST497568090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:18.559595108 CEST809049756185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:18.561224937 CEST497568090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:18.810769081 CEST809049756185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:19.122827053 CEST809049756185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:19.124228001 CEST497568090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:19.326457024 CEST809049756185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:19.327326059 CEST497568090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:19.533847094 CEST809049756185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:19.533998966 CEST497568090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:19.739609957 CEST809049756185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:19.790833950 CEST497568090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:23.272231102 CEST809049756185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:23.322474957 CEST497568090192.168.2.3185.244.26.194
                            Jul 22, 2021 17:17:24.081104994 CEST809049756185.244.26.194192.168.2.3
                            Jul 22, 2021 17:17:24.135045052 CEST497568090192.168.2.3185.244.26.194

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 22, 2021 17:15:04.763046026 CEST4919953192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:04.816519022 CEST53491998.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:04.922252893 CEST5062053192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:04.980652094 CEST53506208.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:05.966795921 CEST6493853192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:06.018944979 CEST53649388.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:07.723407030 CEST6015253192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:07.775559902 CEST53601528.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:09.066780090 CEST5754453192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:09.118920088 CEST53575448.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:10.847954035 CEST5598453192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:10.907686949 CEST53559848.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:12.146908045 CEST6418553192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:12.207806110 CEST53641858.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:13.845693111 CEST6511053192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:13.906315088 CEST53651108.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:15.560169935 CEST5836153192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:15.613352060 CEST53583618.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:17.903354883 CEST6349253192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:17.952857018 CEST53634928.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:19.524101973 CEST6083153192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:19.573231936 CEST53608318.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:20.962048054 CEST6010053192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:21.019257069 CEST53601008.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:24.582153082 CEST5319553192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:24.631280899 CEST53531958.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:26.460402966 CEST5014153192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:26.517627001 CEST53501418.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:37.889480114 CEST5302353192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:37.949548006 CEST53530238.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:38.603039026 CEST4956353192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:38.678119898 CEST53495638.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:39.740140915 CEST5135253192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:39.802215099 CEST53513528.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:40.556672096 CEST5934953192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:40.618021965 CEST53593498.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:41.425570965 CEST5708453192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:41.485343933 CEST53570848.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:44.741709948 CEST5882353192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:44.793931007 CEST53588238.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:45.504014015 CEST5756853192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:45.555970907 CEST53575688.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:56.759084940 CEST5054053192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:56.923748970 CEST53505408.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:57.187777042 CEST5436653192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:57.249794960 CEST53543668.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:57.951250076 CEST5303453192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:58.008028030 CEST53530348.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:58.493403912 CEST5776253192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:58.552948952 CEST53577628.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:58.892782927 CEST5543553192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:58.960469961 CEST53554358.8.8.8192.168.2.3
                            Jul 22, 2021 17:15:59.229800940 CEST5071353192.168.2.38.8.8.8
                            Jul 22, 2021 17:15:59.295526981 CEST53507138.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:00.181078911 CEST5613253192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:00.241190910 CEST53561328.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:03.245335102 CEST5898753192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:03.303710938 CEST53589878.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:04.066680908 CEST5657953192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:04.116664886 CEST53565798.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:05.235856056 CEST6063353192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:05.296524048 CEST53606338.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:06.361121893 CEST6129253192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:06.418401957 CEST53612928.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:07.048366070 CEST6361953192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:07.097353935 CEST53636198.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:07.650682926 CEST6493853192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:07.711216927 CEST53649388.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:08.311414003 CEST6194653192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:08.369090080 CEST53619468.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:13.270433903 CEST6491053192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:13.327728033 CEST53649108.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:15.485491991 CEST5212353192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:15.542777061 CEST53521238.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:21.740432978 CEST5613053192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:21.797602892 CEST53561308.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:28.626430035 CEST5633853192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:28.781832933 CEST53563388.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:35.643198013 CEST5942053192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:35.703490973 CEST53594208.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:42.720694065 CEST5878453192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:42.780225992 CEST53587848.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:46.094414949 CEST6397853192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:46.162256002 CEST53639788.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:48.411180019 CEST6293853192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:48.486733913 CEST53629388.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:49.797224045 CEST5570853192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:49.857126951 CEST53557088.8.8.8192.168.2.3
                            Jul 22, 2021 17:16:56.884917021 CEST5680353192.168.2.38.8.8.8
                            Jul 22, 2021 17:16:56.943536043 CEST53568038.8.8.8192.168.2.3
                            Jul 22, 2021 17:17:04.036845922 CEST5714553192.168.2.38.8.8.8
                            Jul 22, 2021 17:17:04.189584017 CEST53571458.8.8.8192.168.2.3
                            Jul 22, 2021 17:17:11.173968077 CEST5535953192.168.2.38.8.8.8
                            Jul 22, 2021 17:17:11.235089064 CEST53553598.8.8.8192.168.2.3
                            Jul 22, 2021 17:17:17.807742119 CEST5830653192.168.2.38.8.8.8
                            Jul 22, 2021 17:17:17.867338896 CEST53583068.8.8.8192.168.2.3

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Jul 22, 2021 17:15:56.759084940 CEST192.168.2.38.8.8.80xd325Standard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:07.048366070 CEST192.168.2.38.8.8.80x8b3eStandard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:13.270433903 CEST192.168.2.38.8.8.80xfd27Standard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:21.740432978 CEST192.168.2.38.8.8.80x8bbeStandard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:28.626430035 CEST192.168.2.38.8.8.80xf1e6Standard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:35.643198013 CEST192.168.2.38.8.8.80xa0daStandard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:42.720694065 CEST192.168.2.38.8.8.80x47dfStandard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:49.797224045 CEST192.168.2.38.8.8.80x365cStandard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:56.884917021 CEST192.168.2.38.8.8.80xace2Standard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:17:04.036845922 CEST192.168.2.38.8.8.80x22c1Standard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:17:11.173968077 CEST192.168.2.38.8.8.80x9904Standard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)
                            Jul 22, 2021 17:17:17.807742119 CEST192.168.2.38.8.8.80xaf5fStandard query (0)omaprilcode.duckdns.orgA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Jul 22, 2021 17:15:56.923748970 CEST8.8.8.8192.168.2.30xd325No error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:07.097353935 CEST8.8.8.8192.168.2.30x8b3eNo error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:13.327728033 CEST8.8.8.8192.168.2.30xfd27No error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:21.797602892 CEST8.8.8.8192.168.2.30x8bbeNo error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:28.781832933 CEST8.8.8.8192.168.2.30xf1e6No error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:35.703490973 CEST8.8.8.8192.168.2.30xa0daNo error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:42.780225992 CEST8.8.8.8192.168.2.30x47dfNo error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:49.857126951 CEST8.8.8.8192.168.2.30x365cNo error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:16:56.943536043 CEST8.8.8.8192.168.2.30xace2No error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:17:04.189584017 CEST8.8.8.8192.168.2.30x22c1No error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:17:11.235089064 CEST8.8.8.8192.168.2.30x9904No error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)
                            Jul 22, 2021 17:17:17.867338896 CEST8.8.8.8192.168.2.30xaf5fNo error (0)omaprilcode.duckdns.org185.244.26.194A (IP address)IN (0x0001)

                            Code Manipulations

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Start time:17:15:09
                            Start date:22/07/2021
                            Path:C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\R6093846s-Invoice-Receipt.exe'
                            Imagebase:0x300000
                            File size:896000 bytes
                            MD5 hash:CD0645CB78B55F0BABBDBC4D51F23BD8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.305161176.000000000396B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.304879840.0000000003759000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            Reputation:low

                            General

                            Start time:17:15:50
                            Start date:22/07/2021
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UALCBPTejUQxQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpCCAD.tmp'
                            Imagebase:0xae0000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Start time:17:15:51
                            Start date:22/07/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6b2800000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Start time:17:15:51
                            Start date:22/07/2021
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            Wow64 process (32bit):false
                            Commandline:{path}
                            Imagebase:0x1b0000
                            File size:45152 bytes
                            MD5 hash:2867A3817C9245F7CF518524DFD18F28
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Start time:17:15:52
                            Start date:22/07/2021
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            Wow64 process (32bit):true
                            Commandline:{path}
                            Imagebase:0x4f0000
                            File size:45152 bytes
                            MD5 hash:2867A3817C9245F7CF518524DFD18F28
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.485019554.0000000006B10000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.485019554.0000000006B10000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.484978078.0000000006AF0000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.484978078.0000000006AF0000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.483826250.0000000005440000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.483826250.0000000005440000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.484104685.0000000005B90000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.484104685.0000000005B90000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.484104685.0000000005B90000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.485071825.0000000006B30000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.485071825.0000000006B30000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.480562084.0000000004325000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.470391681.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.484960992.0000000006AE0000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.484960992.0000000006AE0000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.479043770.0000000003891000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.479043770.0000000003891000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.484915497.0000000006AC0000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.484915497.0000000006AC0000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.484897789.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.484897789.0000000006AB0000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.485130700.0000000006B80000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.485130700.0000000006B80000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.480703873.0000000004486000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.480703873.0000000004486000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.484998886.0000000006B00000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.484998886.0000000006B00000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.484851372.0000000006A80000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.484851372.0000000006A80000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.485085026.0000000006B40000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.485085026.0000000006B40000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.474458367.0000000002891000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.484936957.0000000006AD0000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.484936957.0000000006AD0000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.480187851.0000000004161000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.480187851.0000000004161000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.484499149.0000000006190000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000014.00000002.484499149.0000000006190000.00000004.00000001.sdmp, Author: Florian Roth
                            Reputation:high

                            Disassembly

                            Code Analysis

                            Reset < >

                              Executed Functions

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: (F
                              • API String ID: 0-4259282658
                              • Opcode ID: 09670ff49f05cde451b1b855ca624a0dda186e2ab9654cef3b20c50462b00968
                              • Instruction ID: 8de82589144b62da848b44570bc5c262a168419d70d1f57c5062cfa79edc462e
                              • Opcode Fuzzy Hash: 09670ff49f05cde451b1b855ca624a0dda186e2ab9654cef3b20c50462b00968
                              • Instruction Fuzzy Hash: 8431FC71E056189FDB58CFABD85069EFBF3AFC9200F14D0BAD908A7258DB3019458F51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 433a321a81b8c0f89452618edc0ab66d68435b8d0b87dbefe1d132b9a0039de4
                              • Instruction ID: db0209a0ea3a684cf55643b7a79800765fcefe24c1d2e390c3f909cd39b693e3
                              • Opcode Fuzzy Hash: 433a321a81b8c0f89452618edc0ab66d68435b8d0b87dbefe1d132b9a0039de4
                              • Instruction Fuzzy Hash: 66C129B0E0424ADFCF48DFA6C4858AEFBB6FF89300B109569D515AB354D734A952CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0f4180c69398d4da2f80c60af8bbfac710818f0965596182259e2d0a0585b544
                              • Instruction ID: fd6bd9cc518d4eb0a6291c20a831565e0b6d5d54ad33b3e310619b46f742e052
                              • Opcode Fuzzy Hash: 0f4180c69398d4da2f80c60af8bbfac710818f0965596182259e2d0a0585b544
                              • Instruction Fuzzy Hash: 83A12B74E0424ADFCF48DFA6C4818AEFBB6FF89300B1098A9D516A7354D334A952CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8d28a7e48108e5228de1d78891c83d6ef17bc67ca91f461ca41ed835c53aaf6
                              • Instruction ID: cb6a290f65f454b5a0481b8c074ea057298ff23bc406fc5a2c2a5c815b0b0cc9
                              • Opcode Fuzzy Hash: d8d28a7e48108e5228de1d78891c83d6ef17bc67ca91f461ca41ed835c53aaf6
                              • Instruction Fuzzy Hash: 27A13C74E0424ADFCF48DFA6C4858AEFBB6FF89300B109869D516AB354D334A952CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f646759254d42cee7d17f98f278879bbdb59f825d81271db15e6ae60f921d7af
                              • Instruction ID: 477a35f7de98bf33d1caad585396b75e9995e8ea4440247d56dd1270b868a6aa
                              • Opcode Fuzzy Hash: f646759254d42cee7d17f98f278879bbdb59f825d81271db15e6ae60f921d7af
                              • Instruction Fuzzy Hash: 4481D474E00259CFCB48CFEAD84469EBBB2BF89300F10942AD519BB254DB759945CF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da2285a6cf66f955e553e5806b120cd04789e2f4f850db4116e48228ae44cf79
                              • Instruction ID: 5cb743954838d98cc81860f558072991c96c9fdded08a414eb5b706c0e2e7d5e
                              • Opcode Fuzzy Hash: da2285a6cf66f955e553e5806b120cd04789e2f4f850db4116e48228ae44cf79
                              • Instruction Fuzzy Hash: 06513AB0E05209CFDB48CFA6C9446EEFBF2AF89340F1480AAD919A7255D7345942CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 22ec580670c6c43a0ce3344156b26bb0e9997b258b538b9b9afca3fbd17afb3c
                              • Instruction ID: 121df857f628e0648f5b98aafbee6bf4c3cd078ec2a6c924e1a7e84ac2959580
                              • Opcode Fuzzy Hash: 22ec580670c6c43a0ce3344156b26bb0e9997b258b538b9b9afca3fbd17afb3c
                              • Instruction Fuzzy Hash: BA512870E05258CFEB58CFA6D840A8EFBB2EF89210F14D4AAC509AB214D7309E85CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0bf5f205214c95b43690c39ef9b211c434d9cd1fe108b68caa6a738349b4f86
                              • Instruction ID: aab305b3a2ac9a71e6c58c425e8dd5ec67ff4476810aee21e635f2402a696c4b
                              • Opcode Fuzzy Hash: f0bf5f205214c95b43690c39ef9b211c434d9cd1fe108b68caa6a738349b4f86
                              • Instruction Fuzzy Hash: F72108B1E006188BEB58CFABD8446DEBBF3AFC8310F14C16AD908A6268DB700955CF40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 026FB5C1
                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 018989ac6e1660de3607e65f042f27ca7ec46ec1e61cdc94f8210302b26c44cb
                              • Instruction ID: d38ce3a1b2e144184ab1c78f5d6e3e920fc1ab7b990c500bbf52e1bc8f358330
                              • Opcode Fuzzy Hash: 018989ac6e1660de3607e65f042f27ca7ec46ec1e61cdc94f8210302b26c44cb
                              • Instruction Fuzzy Hash: A641EF71C0061DCFDB24CFA9C984BDEBBB5BF48308F208069D519AB251DBB5694ACF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026FF909,00000800,00000000,00000000), ref: 026FFB1A
                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 46e11c3f85ad14a8c5687ba2d9fa24a026ad6c1e9cd4c4f0ed8efb9088eaa38a
                              • Instruction ID: d3d7d6d059b15154114348d88dfdeb069eba2814b6505e5b28c85e5ca063c657
                              • Opcode Fuzzy Hash: 46e11c3f85ad14a8c5687ba2d9fa24a026ad6c1e9cd4c4f0ed8efb9088eaa38a
                              • Instruction Fuzzy Hash: 241112B29003098FCB10CF9AD588BDEFBF4EB88324F14842AE915A7750C374A945CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 026FF88E
                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: d2d61fc3d560f12ff0ad8705670a45c01dc654774faadfd574a46ee56bd6725c
                              • Instruction ID: 43d79b64c1ee6c23801e16fe71358bf56ca1308a0f82fce56553020a2595d9d3
                              • Opcode Fuzzy Hash: d2d61fc3d560f12ff0ad8705670a45c01dc654774faadfd574a46ee56bd6725c
                              • Instruction Fuzzy Hash: CC1110B2D006098FCB10CF9AC544BDEFBF4EF88224F10842AD929A7750D374A545CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.306756814.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee194b285d05ce337ea0644621b1c813cbf98dc576e185c8ad8ae0d7bcce60ad
                              • Instruction ID: 3801578da7fbad825b425d42e8041fbfa1ab530b1af7a64db3449ad8f1ca9e75
                              • Opcode Fuzzy Hash: ee194b285d05ce337ea0644621b1c813cbf98dc576e185c8ad8ae0d7bcce60ad
                              • Instruction Fuzzy Hash: 10916134B003018FDB04EF69D4947AA73A2FF88304F5589BDD90AAB355DF75A895CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.306756814.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c7b16b7188235d0c0361393e9c7862545f9ae0aba072198a511dcdc6fc649627
                              • Instruction ID: ecf82eb6c5666a808e6615d57e9564702aa572c25af751ba94871b00f1531292
                              • Opcode Fuzzy Hash: c7b16b7188235d0c0361393e9c7862545f9ae0aba072198a511dcdc6fc649627
                              • Instruction Fuzzy Hash: 8D512C35A01209AFDB14DF98E595BEEBBB2FF48310F2080A9E945AB750C771AD41CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.296329301.0000000000E2D000.00000040.00000001.sdmp, Offset: 00E2D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3635af5dc9363cf2547e5ca2db6178952b532cdb9ba21c383ba16e767928beb6
                              • Instruction ID: ac4316645bd34c0e64fa62bd53005d07173007f7517215fd5682661057c34988
                              • Opcode Fuzzy Hash: 3635af5dc9363cf2547e5ca2db6178952b532cdb9ba21c383ba16e767928beb6
                              • Instruction Fuzzy Hash: 30216A71508204DFDB05EF00ECC0B57BB65FB98328F20C569DA095F246C33AE856C7A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.296553695.0000000000E3D000.00000040.00000001.sdmp, Offset: 00E3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 275a4bab3867ee2274ed29000e8485d657efc463607d81b0938267c8c1ae245a
                              • Instruction ID: ef283ad7ceda2f80fe36d6c80cb3d67d1a818883366c14b6f64b7031f626e9f0
                              • Opcode Fuzzy Hash: 275a4bab3867ee2274ed29000e8485d657efc463607d81b0938267c8c1ae245a
                              • Instruction Fuzzy Hash: A0213771508200DFCB01CF50EDC8B27BFA5FB84318F20C969E8095B252C73AD856CA61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.296553695.0000000000E3D000.00000040.00000001.sdmp, Offset: 00E3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57bb726090a2010ba5d3c9f26d9e50972d26b80bfabce256767127989b7d01c0
                              • Instruction ID: 02048fbac874832269f545a10ea42277d72e7c80ac6aad86675b8c997b52dcc6
                              • Opcode Fuzzy Hash: 57bb726090a2010ba5d3c9f26d9e50972d26b80bfabce256767127989b7d01c0
                              • Instruction Fuzzy Hash: 49212571508200DFCB18CF14E8C8B16BFA6FB84B18F20C969D8095B246C33AD847CE61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.296553695.0000000000E3D000.00000040.00000001.sdmp, Offset: 00E3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d216b30b580bf1d7bb1a90add437742ce3a7f753745164f45f33760154d37e2f
                              • Instruction ID: 0c4911112b19db3fa03f06300e2e95bc77df3f86515603897c25e065e2828645
                              • Opcode Fuzzy Hash: d216b30b580bf1d7bb1a90add437742ce3a7f753745164f45f33760154d37e2f
                              • Instruction Fuzzy Hash: C421AF755093808FCB06CF20D994B01BF71EB46614F28C1EAC8488B297C33A980ACB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.296329301.0000000000E2D000.00000040.00000001.sdmp, Offset: 00E2D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                              • Instruction ID: 9fa9868ba836b058b3421732303ba0e3dec46ae22ed0a335e9c05e4768841341
                              • Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                              • Instruction Fuzzy Hash: 52112672408280CFCF12DF00D9C4B16BF71FB94324F24C2A9D9094B616C33AE85ACBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.296553695.0000000000E3D000.00000040.00000001.sdmp, Offset: 00E3D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                              • Instruction ID: dcd88baba8732f1f14ad2fcb43acf5d7d6d2b4800adb4eabfaa6a9ebeb2bb5e8
                              • Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                              • Instruction Fuzzy Hash: 69118E75508280DFCB12CF50D9C4B16BFA1FB84328F24C6A9D8495B666C33AD85ACB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.296329301.0000000000E2D000.00000040.00000001.sdmp, Offset: 00E2D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 404e8f3633c0c93a6c7748947da6e5737c707d242651f6422c72b3717116366a
                              • Instruction ID: e2895ba970fee84e7271062cb05e4171ed7936f8fe78915771aed5fc3afc6dda
                              • Opcode Fuzzy Hash: 404e8f3633c0c93a6c7748947da6e5737c707d242651f6422c72b3717116366a
                              • Instruction Fuzzy Hash: 3E01F77140C3649EE7109A15DC847A3BB98EF40338F188419EE4D6B282C778D844C6B2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.306756814.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8926e1b81e4b822e0634202f888b231bc02886c966abcb972e3ff6a00d9933b0
                              • Instruction ID: c324958433abe948e7517519ccfb59cfaf50ff8ed6ce9b5d8554772966f647f6
                              • Opcode Fuzzy Hash: 8926e1b81e4b822e0634202f888b231bc02886c966abcb972e3ff6a00d9933b0
                              • Instruction Fuzzy Hash: FE014030600B098FD724EF35C4405AA77B6FF85305F50C5AEE4869B2A0EBB0E941CB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.296329301.0000000000E2D000.00000040.00000001.sdmp, Offset: 00E2D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 28b70807d126a5e7d37725985e821b5412e984176f2600eae4604f55d7af0d50
                              • Instruction ID: 90412f0048379cb74f9a0e8741d39f22e51fc18404a45d0f1c3bb6a64ed32615
                              • Opcode Fuzzy Hash: 28b70807d126a5e7d37725985e821b5412e984176f2600eae4604f55d7af0d50
                              • Instruction Fuzzy Hash: F3F06271408294AEE7118A15DD84BA2FF98EB51738F18C55AEE085B286C3799844CAB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.306756814.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a4d2bc419777534890d6a81427c19c7e947deb7b1a7e2fa9a92e1e0e136c747b
                              • Instruction ID: 406515c51db2f6ce03133585a4b5cd907c4fe208db73366a94ad81e2ba3dee5c
                              • Opcode Fuzzy Hash: a4d2bc419777534890d6a81427c19c7e947deb7b1a7e2fa9a92e1e0e136c747b
                              • Instruction Fuzzy Hash: EED0A7363002344B4B187BB97C181BE339CDB455A530004BAE60EC2310FEF1984143C8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: "$"
                              • API String ID: 0-2937547392
                              • Opcode ID: e688c6a098478a30132500090ea1b99e1284c02d1885a1b6d86da905dd3c7ada
                              • Instruction ID: afc8fb6953bb0fc37e62f0063c46a977654f12c2a656488982a10f0ede937203
                              • Opcode Fuzzy Hash: e688c6a098478a30132500090ea1b99e1284c02d1885a1b6d86da905dd3c7ada
                              • Instruction Fuzzy Hash: B471D1B4E0420ADFCB48CF9AD5849AEFBB1FF48314F149519D615A7700D730A942CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: "
                              • API String ID: 0-870058758
                              • Opcode ID: 7cfcbeb993bd09bbca58844952e1cdbf4ed9873e99d7192505f7395b7d67f0a3
                              • Instruction ID: f8939ab71a13b77689702906d16250181aa9567228de59ca2d504b5422ce77ee
                              • Opcode Fuzzy Hash: 7cfcbeb993bd09bbca58844952e1cdbf4ed9873e99d7192505f7395b7d67f0a3
                              • Instruction Fuzzy Hash: D861F4B4D0520ACFCF48CFA9C4849AEFBB1FF88310F15951AD615A7615D730A942CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: e?^
                              • API String ID: 0-1603976506
                              • Opcode ID: 5783b10a9929bb329e9268c3f751065187190dca8f731d0a0c281d927d36b449
                              • Instruction ID: df7c42d4c010880553edd859873359c2887e23dc619c2a6dd4932f8b2e9a3172
                              • Opcode Fuzzy Hash: 5783b10a9929bb329e9268c3f751065187190dca8f731d0a0c281d927d36b449
                              • Instruction Fuzzy Hash: 38415970E082598FCB44CFA9D8405EEFBB2FF89210F2495AAD515B7364D7309A52CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3281ff89cc1bf3f42e54f895a4c15782ff5dedc2d2c03a6ca134816c07b14d9d
                              • Instruction ID: 324e78a15f0a301d3167d899b2bdeb122918310a3bef03c215f26980d251af74
                              • Opcode Fuzzy Hash: 3281ff89cc1bf3f42e54f895a4c15782ff5dedc2d2c03a6ca134816c07b14d9d
                              • Instruction Fuzzy Hash: 5D71F374E152098F9F48CF99D6815DEFBF2BF89311F64A42AD506B7224D3309A42CB64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1da462ba436726e2484c31e2b68fffbf65e61746f737fba1ba4e74f5e02b56fa
                              • Instruction ID: d55196b8040177545468e589673a60982c4a17c9c6b55835f357507d8dd7196a
                              • Opcode Fuzzy Hash: 1da462ba436726e2484c31e2b68fffbf65e61746f737fba1ba4e74f5e02b56fa
                              • Instruction Fuzzy Hash: 4241F7B4D0520ADFCB48CFAAD5415AEFBF2BB88300F64D46AC516A7214E7349A41CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a2271e1bddd9807704eab2439d5e324c34be5bbbc73d1d7d1dddc3651d141066
                              • Instruction ID: 42ae114af0a9611b175ced62bdf1c65959578f1ca890e0ce0039312b5a86d701
                              • Opcode Fuzzy Hash: a2271e1bddd9807704eab2439d5e324c34be5bbbc73d1d7d1dddc3651d141066
                              • Instruction Fuzzy Hash: C241E4B1D0420A9FCF88CFEAD4805AEFBF2AB89200F54C56AD515A7254E7349A42CF95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000000.00000002.297488584.00000000026F0000.00000040.00000001.sdmp, Offset: 026F0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5e27a84f2144e469e65fb3c237e9e25aa96e03999d793d91f80d6f5103c10ae
                              • Instruction ID: afcd42ccc08084db563fe012bd6804849c4dc45623c51dc81c6e363989d3ed8e
                              • Opcode Fuzzy Hash: d5e27a84f2144e469e65fb3c237e9e25aa96e03999d793d91f80d6f5103c10ae
                              • Instruction Fuzzy Hash: 2941D6B1D0420A9FCF48CFEAC5805AEFBF2EB88300F64D56AD515A7254E7349A42CF95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Executed Functions

                              Memory Dump Source
                              • Source File: 00000014.00000002.485185864.0000000006BA0000.00000040.00000001.sdmp, Offset: 06BA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac8e46125686ee39b55d281412bad24b7bb3487ff91be0efc08c4dac41bb5cd7
                              • Instruction ID: 81f76bd94b79ac826120bc1eebbb34acf4f7bda994469e1499c2f57ef672d518
                              • Opcode Fuzzy Hash: ac8e46125686ee39b55d281412bad24b7bb3487ff91be0efc08c4dac41bb5cd7
                              • Instruction Fuzzy Hash: 35413AB1D053599FCB80CFA9D980ADEFBF9FF49310F14816AE918A7241D7349A05CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0276962E
                              Strings
                              Memory Dump Source
                              • Source File: 00000014.00000002.474360815.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                              Similarity
                              • API ID: HandleModule
                              • String ID: HR$HR
                              • API String ID: 4139908857-4037001784
                              • Opcode ID: e6cbed999940b86447cc9a8eefc66fe4b35a8d325fd8ae8035aa8f3dce6d3d0e
                              • Instruction ID: a5d1f5aae3e9c7c4c04c11c28ee295b8fd972f73925b43b59d9349c33b89d3fc
                              • Opcode Fuzzy Hash: e6cbed999940b86447cc9a8eefc66fe4b35a8d325fd8ae8035aa8f3dce6d3d0e
                              • Instruction Fuzzy Hash: 5F710270A00B058FD724DF6AC4457ABBBF1BF88204F108A2ED99AD7A50D735E8498F91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.474360815.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 35db56a96913336a6e0127afb3d4a0da177f4a696f32e784410360c4b686f67b
                              • Instruction ID: 030cb3484dd8c2d737c1019e6a7aa7b8b77b00665b7352a5c3e46f9b82ef6daa
                              • Opcode Fuzzy Hash: 35db56a96913336a6e0127afb3d4a0da177f4a696f32e784410360c4b686f67b
                              • Instruction Fuzzy Hash: A6A19071C083889FCF12CFA5D894ADDBFB1FF4A304F15819AE805AB212D3359946CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • GetSystemTimes.KERNELBASE(?,00000006,?), ref: 06BA1574
                              Memory Dump Source
                              • Source File: 00000014.00000002.485185864.0000000006BA0000.00000040.00000001.sdmp, Offset: 06BA0000, based on PE: false
                              Similarity
                              • API ID: SystemTimes
                              • String ID:
                              • API String ID: 375623090-0
                              • Opcode ID: 0ecb4dba7acf1b1826dbb1f20a5b824d7d5852f7188772534ad16038b4b0675b
                              • Instruction ID: 21f6d3fc83a6b8ea3cb8f532654074e4065e0a35aad29c946d9c4c4d036e4fd1
                              • Opcode Fuzzy Hash: 0ecb4dba7acf1b1826dbb1f20a5b824d7d5852f7188772534ad16038b4b0675b
                              • Instruction Fuzzy Hash: 3DB1BFB5D0021ACFDB51CF69C880AD9FBB5FF48310F15C69AD958AB201E770AA85CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 061A2FE0
                              Memory Dump Source
                              • Source File: 00000014.00000002.484524733.00000000061A0000.00000040.00000001.sdmp, Offset: 06190000, based on PE: true
                              • Associated: 00000014.00000002.484499149.0000000006190000.00000004.00000001.sdmp Download File
                              Yara matches
                              Similarity
                              • API ID: Query_
                              • String ID:
                              • API String ID: 428220571-0
                              • Opcode ID: 2ed06ce180f36f2a68f01543ec34103b07c2081d4b1c25df4e894a62560948b8
                              • Instruction ID: a046ad0b06d0dd900a661894adb05025d31d6f8f787fab70e24434ed78f417ae
                              • Opcode Fuzzy Hash: 2ed06ce180f36f2a68f01543ec34103b07c2081d4b1c25df4e894a62560948b8
                              • Instruction Fuzzy Hash: F9512374D003099FDB50CFA9C980BEEBBB5FF48304F24852AE814AB250DB74A946CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0276FD0A
                              Memory Dump Source
                              • Source File: 00000014.00000002.474360815.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 1f1db3f57871991010ee618f75743237229ed19c748d73930c94eff0db3b84eb
                              • Instruction ID: 6732a25741cdacaa96e0ded72afc060082aac0d021684203766aa594a3c4fcb7
                              • Opcode Fuzzy Hash: 1f1db3f57871991010ee618f75743237229ed19c748d73930c94eff0db3b84eb
                              • Instruction Fuzzy Hash: 0A51A0B1D00309DFDB14CF9AD894ADEBBF5BF88314F24812AE819AB250D774A945CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • LoadLibraryA.KERNELBASE(?), ref: 06BA741A
                              Memory Dump Source
                              • Source File: 00000014.00000002.485185864.0000000006BA0000.00000040.00000001.sdmp, Offset: 06BA0000, based on PE: false
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 4ae80a957148b08f6dea30d2a467efe306f4fa518bb30f7dbebaa705bed3ab8d
                              • Instruction ID: a7e56c9cac67ae012510f78e6cf0fe3401ef3c8712f30f6716968046a13c106f
                              • Opcode Fuzzy Hash: 4ae80a957148b08f6dea30d2a467efe306f4fa518bb30f7dbebaa705bed3ab8d
                              • Instruction Fuzzy Hash: 034154B4D083498FDB54CFA9C884B9EBBF1EB08310F148569E855AB380DB789446CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • LoadLibraryA.KERNELBASE(?), ref: 06BA741A
                              Memory Dump Source
                              • Source File: 00000014.00000002.485185864.0000000006BA0000.00000040.00000001.sdmp, Offset: 06BA0000, based on PE: false
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 331a5d5aa50c7bf6dc9bdbee4c803166f282562c9d4d28cc8240a884fae85854
                              • Instruction ID: 67c44cd28f36b1f980c35c78dd33f767d3de6504f8202c1c9d1772ec3e51d966
                              • Opcode Fuzzy Hash: 331a5d5aa50c7bf6dc9bdbee4c803166f282562c9d4d28cc8240a884fae85854
                              • Instruction Fuzzy Hash: 833145B4D083488FDB54CFA9C884BAEBBF1EB08314F15856AE855A7380DB749845CF85
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • GetSystemTimes.KERNELBASE(?,00000006,?), ref: 06BA1574
                              Memory Dump Source
                              • Source File: 00000014.00000002.485185864.0000000006BA0000.00000040.00000001.sdmp, Offset: 06BA0000, based on PE: false
                              Similarity
                              • API ID: SystemTimes
                              • String ID:
                              • API String ID: 375623090-0
                              • Opcode ID: 3a0be03bed0e4a772f74e0765788461f98c482aa3e53dcf64f0d0e81073236a3
                              • Instruction ID: 71829e583826661892816e1316be430b3d5620c66cbb1e9701f162bb97192ac6
                              • Opcode Fuzzy Hash: 3a0be03bed0e4a772f74e0765788461f98c482aa3e53dcf64f0d0e81073236a3
                              • Instruction Fuzzy Hash: 7B3101B1D052489FCB80CFA9C584ADEFBF5BF49310F2481AAE908AB241D7349945CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • GetSystemTimes.KERNELBASE(?,00000006,?), ref: 06BA1574
                              Memory Dump Source
                              • Source File: 00000014.00000002.485185864.0000000006BA0000.00000040.00000001.sdmp, Offset: 06BA0000, based on PE: false
                              Similarity
                              • API ID: SystemTimes
                              • String ID:
                              • API String ID: 375623090-0
                              • Opcode ID: 1a0e871e8675078ed43979e9b49a16f53926ec9f5ee5479f23679a548b944cc4
                              • Instruction ID: 990ef59efe8e979d47550423a291c1a1c8e726a8437b75c55ccd1a675b838ba1
                              • Opcode Fuzzy Hash: 1a0e871e8675078ed43979e9b49a16f53926ec9f5ee5479f23679a548b944cc4
                              • Instruction Fuzzy Hash: 713102B1D053499FCB80CFA9D480ADEFFF5AF49210F2481AAE518AB251D7349945CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0276FE28,?,?,?,?), ref: 0276FE9D
                              Memory Dump Source
                              • Source File: 00000014.00000002.474360815.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                              Similarity
                              • API ID: LongWindow
                              • String ID:
                              • API String ID: 1378638983-0
                              • Opcode ID: 81a5d97d5ee334bd7dce2caf9a650d8e291a3d5ccf5f053cc2ce6ab41f898700
                              • Instruction ID: 3146828690d16014a2008de396cba886bddee9f20eecdb9b120980b1397ae6d5
                              • Opcode Fuzzy Hash: 81a5d97d5ee334bd7dce2caf9a650d8e291a3d5ccf5f053cc2ce6ab41f898700
                              • Instruction Fuzzy Hash: E3219A71800248DFCB11DF99E989BDABFF8EB49314F05804AE859B7212D335A914CFA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0276BCC6,?,?,?,?,?), ref: 0276BD87
                              Memory Dump Source
                              • Source File: 00000014.00000002.474360815.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 9f6545b9945ad57ed82b7dfd28e49c7527276eb454d42b101a91f52ce72ed358
                              • Instruction ID: 3090c3baf282b86d149930d0d98edebf7664491c44ec25f61ee3ca7608819a53
                              • Opcode Fuzzy Hash: 9f6545b9945ad57ed82b7dfd28e49c7527276eb454d42b101a91f52ce72ed358
                              • Instruction Fuzzy Hash: 8B21E6B5900209DFDB10CF9AD584AEEFBF4EB48324F15801AE914B7310D378A955CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0276BCC6,?,?,?,?,?), ref: 0276BD87
                              Memory Dump Source
                              • Source File: 00000014.00000002.474360815.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 778528fc740daefaae2131b255333c4bf2f132b79dab7bd0e027898cd4201a43
                              • Instruction ID: e295acca6056d384be0424a24379c1264fe7755e9920a964b969fe053dffe631
                              • Opcode Fuzzy Hash: 778528fc740daefaae2131b255333c4bf2f132b79dab7bd0e027898cd4201a43
                              • Instruction Fuzzy Hash: 3721E6B5900208DFDB10CF9AD584AEEFBF4EB48314F14801AE914B7350D374A954CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027696A9,00000800,00000000,00000000), ref: 027698BA
                              Memory Dump Source
                              • Source File: 00000014.00000002.474360815.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 277e5b34aa86529ae7b838a2f5b778c0e4579c9c29fe8b0da8931632b60d0ce1
                              • Instruction ID: cc8f846432c8211a941fcb1eb8a809f5eb54e8e1101813b5d71b52c3c87e7418
                              • Opcode Fuzzy Hash: 277e5b34aa86529ae7b838a2f5b778c0e4579c9c29fe8b0da8931632b60d0ce1
                              • Instruction Fuzzy Hash: FA1114B2D00209DFDB10CF9AC448AEEFBF4AB88314F15842AD919A7600C375A949CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027696A9,00000800,00000000,00000000), ref: 027698BA
                              Memory Dump Source
                              • Source File: 00000014.00000002.474360815.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 50ad56f61bb9f26172139d7cedf9544609d14d8e789d0097c0579dfa8134d0f9
                              • Instruction ID: 01128d6bf99e01b42ecb2dfeb1432277720a2a546081d1e07959f6f8f03519d3
                              • Opcode Fuzzy Hash: 50ad56f61bb9f26172139d7cedf9544609d14d8e789d0097c0579dfa8134d0f9
                              • Instruction Fuzzy Hash: BA1103B6900209DFDB10CF9AC448AEEFBF4EB88314F15842AE915B7640C374A945CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0276962E
                              Memory Dump Source
                              • Source File: 00000014.00000002.474360815.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 33010047bca11576fd87f428548aec615ae5049146e9a4b2fce90b9be7ccac53
                              • Instruction ID: 69b1323ca72cbae140706dc1041e8cf3ef7eec635b58c64008abc2a8943438f0
                              • Opcode Fuzzy Hash: 33010047bca11576fd87f428548aec615ae5049146e9a4b2fce90b9be7ccac53
                              • Instruction Fuzzy Hash: A011DFB5D00749CFCB10CF9AC448ADEFBF4AB88624F15842AD929A7600D378A549CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              APIs
                              • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0276FE28,?,?,?,?), ref: 0276FE9D
                              Memory Dump Source
                              • Source File: 00000014.00000002.474360815.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false
                              Similarity
                              • API ID: LongWindow
                              • String ID:
                              • API String ID: 1378638983-0
                              • Opcode ID: 6c08dc2feb5e4fff4e2d3869b1be1237f60cca0da7d3b1a8088964a75b38fcfc
                              • Instruction ID: 44ea93f6f498d43bbe12e7b9a1c1c33fa5cbc40690b498e3917a05aaa2da853b
                              • Opcode Fuzzy Hash: 6c08dc2feb5e4fff4e2d3869b1be1237f60cca0da7d3b1a8088964a75b38fcfc
                              • Instruction Fuzzy Hash: 521128B19002088FDB10DF9AD549BEFBBF4EB48324F108419E915B7741C374A944CFA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.472988540.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 56d8d9270a687bb499e3cfd57511d700cf10d8c88b25f99c4d3618caa90cd758
                              • Instruction ID: fdf20c721ae51b25f23b10670d3c7bbe2b4e2757cf4b1d1b158d2307bfa1b666
                              • Opcode Fuzzy Hash: 56d8d9270a687bb499e3cfd57511d700cf10d8c88b25f99c4d3618caa90cd758
                              • Instruction Fuzzy Hash: 3621F4B1504248DFDB05DF14D8C0B2ABB67FB98328F25C569DA090B346C33AD856D6B2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.473142268.0000000000E0D000.00000040.00000001.sdmp, Offset: 00E0D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7362786cfeb01e4b2af59b21dad90a030069629df9861c7e4bcf28b5a50e956d
                              • Instruction ID: 77e121629d5c0cdf5fac82ed59e38903df22651b29f3082dc3b6fef1ef3e102d
                              • Opcode Fuzzy Hash: 7362786cfeb01e4b2af59b21dad90a030069629df9861c7e4bcf28b5a50e956d
                              • Instruction Fuzzy Hash: D8212571508200DFCB14CF54DCC4B16BB66FB84328F20C969D80D5B286C33AD887CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.473142268.0000000000E0D000.00000040.00000001.sdmp, Offset: 00E0D000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 456009cc70496f4495a8881dadb0141211851137ae4796dd9d119fda4332cc7f
                              • Instruction ID: 49015d597f7934fad581f7d71ccabc20b6a19c2f9b0a2529a4532199a3b95af6
                              • Opcode Fuzzy Hash: 456009cc70496f4495a8881dadb0141211851137ae4796dd9d119fda4332cc7f
                              • Instruction Fuzzy Hash: CB21507550D3C08FCB12CF64D994715BF71EB46314F28C5EAD8498B697C33A984ACB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.472988540.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                              • Instruction ID: 313d1fa35b186c5e841b009007dd2a1b88da1540a93e72685c1b23e5dd7388a3
                              • Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
                              • Instruction Fuzzy Hash: 2911AF76404284CFCB12CF14D9C4B26BF62FB95324F28C6A9D9050B756C33AD85ACBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a40b7953b4d37e6afde6907cf3d9ae9733a8c0787b86537cfa10684a7df0f3c
                              • Instruction ID: 177242cfe54aa1924226e433abfe8b9c325932109d554e381917fcfc9b68f39b
                              • Opcode Fuzzy Hash: 9a40b7953b4d37e6afde6907cf3d9ae9733a8c0787b86537cfa10684a7df0f3c
                              • Instruction Fuzzy Hash: C7019CB17081088BC31C1799B814279BBDAEF8925571880BFE22ACB246DFE14C01C392
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: adad3778059200bcd940a3ffd8c00bfb0c734f31c178e1e57a5df0ff0db87b7b
                              • Instruction ID: 3884dd804967a1a083446d2cbc2367f0a15c854c362b05b70489e1fb76f0294e
                              • Opcode Fuzzy Hash: adad3778059200bcd940a3ffd8c00bfb0c734f31c178e1e57a5df0ff0db87b7b
                              • Instruction Fuzzy Hash: 6D01A772B00A214B8774DA78D840ABBB3EAAF88624314C67DD44ACB784DF31EC4387D0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 61facd1f3ec6320d2124a389725136e729d03709de690ed2888cba5260796054
                              • Instruction ID: b591da45ef079a16bff82a578b7ecf6b7a4fde078c56fcc6157ae0b3092f7793
                              • Opcode Fuzzy Hash: 61facd1f3ec6320d2124a389725136e729d03709de690ed2888cba5260796054
                              • Instruction Fuzzy Hash: BEF0817030426917D358666D581072FA59BDBC9640F2AC52EA20B9B389CE748C0253B6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 02643e866d5148d3b9e1831bed925643bdcba8171b46a7d675bed7d3f0549325
                              • Instruction ID: f41f8018c7ecffe082509973e94769dbe65a1eab25f9779556d57e7a0027503c
                              • Opcode Fuzzy Hash: 02643e866d5148d3b9e1831bed925643bdcba8171b46a7d675bed7d3f0549325
                              • Instruction Fuzzy Hash: D801A7B1E1411D9FC754AFE8A8046AEBBF1BF89218F10C57AD11AE7341FBF4850687A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 38dc8243c6738ff5c07cb301e89dc9c104cc9e5dd1770527e1e42c237ccc241d
                              • Instruction ID: 65910098bcdd4f7f09feb62d54f1ab4dd23cce406e3d494d0e73b462e14ef0d6
                              • Opcode Fuzzy Hash: 38dc8243c6738ff5c07cb301e89dc9c104cc9e5dd1770527e1e42c237ccc241d
                              • Instruction Fuzzy Hash: BB0121713086044BC3249B7EA86065B7AA7DFC1144726887AD20ECB386DF225C1683E2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96e9f5d0dc92e8360e7da3d0e9f529eec4247a1fb061d64b06f7154e8f06a859
                              • Instruction ID: 175882a72026baf3bfc996758f1feba3d13507ed73c4fd7eb912d660b751bbac
                              • Opcode Fuzzy Hash: 96e9f5d0dc92e8360e7da3d0e9f529eec4247a1fb061d64b06f7154e8f06a859
                              • Instruction Fuzzy Hash: CDF0247031836E5BD659971C5C10AAB7BAFE7CC618F04461AB6078698CCE744D0242B6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 724ede6f1f2d584df35b9d215fefa4fa1d4b9a2e38d4e528485fa6399888f3ea
                              • Instruction ID: 671f67ea46f73b947bce8e6bc53c182207457adf3eba5dcd25d9445d91a0e8c7
                              • Opcode Fuzzy Hash: 724ede6f1f2d584df35b9d215fefa4fa1d4b9a2e38d4e528485fa6399888f3ea
                              • Instruction Fuzzy Hash: 5EF05C3130060247C320DB6EE844947BBEAEFC4254305C53DE60DC7210EB22A81643E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 516a648df18ca38a08624887b1a76059fc158f75b4eb8f3f8d8d74aef3ea0d03
                              • Instruction ID: 0f0803544c6bb430e9685f221cb20ba5574db56e46521ff862b0e96a39713695
                              • Opcode Fuzzy Hash: 516a648df18ca38a08624887b1a76059fc158f75b4eb8f3f8d8d74aef3ea0d03
                              • Instruction Fuzzy Hash: 30E0D876B065245BD7345D74A4546EB779BCFC8211B05025AAD86833C5CE285D1582E3
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0368abcd1abcb96a700e72aa9d5dc302ae86e5269c3cf3656f46e45e69926ab2
                              • Instruction ID: 1a135a1d19a31ad7f673811d2afe7506c2d18de2e91e518bb8cb4d4f20300832
                              • Opcode Fuzzy Hash: 0368abcd1abcb96a700e72aa9d5dc302ae86e5269c3cf3656f46e45e69926ab2
                              • Instruction Fuzzy Hash: 75D02E713080BA4BE6062B0CAC2076EA25BFBD8210F20492FE7038238CCB304C0213B6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4cf661acbdf347880b2921cbea8292cc9385aacfc9cf09fffbe74db4e177eb9
                              • Instruction ID: b2bb9bddcc9c0a0a7ba53bc9005feba4514d2495063c67c3ce4b96e704ce854b
                              • Opcode Fuzzy Hash: c4cf661acbdf347880b2921cbea8292cc9385aacfc9cf09fffbe74db4e177eb9
                              • Instruction Fuzzy Hash: 1AE020F150911CCBD7180F5164143757751DF0660A75400FDE2A60F141D7E28801C383
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62539daed71883f79c29ad17f1d97ad85fa3aaa053840c887e358c19dce858db
                              • Instruction ID: ad7a1f94a433c3e0d5baffb96b3641a2c4f7f0ee388b302d537a81752f1f5d0c
                              • Opcode Fuzzy Hash: 62539daed71883f79c29ad17f1d97ad85fa3aaa053840c887e358c19dce858db
                              • Instruction Fuzzy Hash: 75E0C2367016248B9214AA64A5046EF73EB9FC8120704432AEC4AC3781CB28AD0582E2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48c5c49ac8416a9e0fa8219ce9c40a63f8de55fb155d526a1666798594637e13
                              • Instruction ID: 20986aeac11866b6eb3c0b0eda1fa4203afbc97cd1648c6bb7d75ffcb97ce6a2
                              • Opcode Fuzzy Hash: 48c5c49ac8416a9e0fa8219ce9c40a63f8de55fb155d526a1666798594637e13
                              • Instruction Fuzzy Hash: 98E0ECB0D0020E9FC780EFA8C41179EBBF4BB04614F208979C015E7241E7B446058F91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485448199.0000000007010000.00000040.00000001.sdmp, Offset: 07010000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4904a15ea0b9a8f762f1d69d5875d29b55f7ed0ca14dc88114fcec173f084e7f
                              • Instruction ID: 449a675a8c0ead2f390f597b2192f3bf95cca0292176f8ec27327dc8df642314
                              • Opcode Fuzzy Hash: 4904a15ea0b9a8f762f1d69d5875d29b55f7ed0ca14dc88114fcec173f084e7f
                              • Instruction Fuzzy Hash: E2C08C706283099BCA4CDB5A68819AA336BA3C9B05F04C214B22F1254CCAB168424050
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Memory Dump Source
                              • Source File: 00000014.00000002.485185864.0000000006BA0000.00000040.00000001.sdmp, Offset: 06BA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b70f3bebb548294ee85952a2885ce60b9141d46953621ffde88855cd678a529
                              • Instruction ID: 7e3942ca2c3ab4f8e89579b714fcf9b4908a94c4bdfc0a3d0a39437f2dcc9a31
                              • Opcode Fuzzy Hash: 0b70f3bebb548294ee85952a2885ce60b9141d46953621ffde88855cd678a529
                              • Instruction Fuzzy Hash: AB01F730D022059FCB489FA5E8087EDFFF6EB4E211F04606BE145B3240DB710848C769
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Memory Dump Source
                              • Source File: 00000014.00000002.485185864.0000000006BA0000.00000040.00000001.sdmp, Offset: 06BA0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1552b0d945b9de292ed5290f819f0241889ce320e3b33fa32c70b4434ce9f94
                              • Instruction ID: 38e3ec87b15ff07e9e5150eb698cd87a6bbc1040c8c4623356db157f3ec442bd
                              • Opcode Fuzzy Hash: e1552b0d945b9de292ed5290f819f0241889ce320e3b33fa32c70b4434ce9f94
                              • Instruction Fuzzy Hash: F0F08171D052189FCB489FA9E4087EDFBF5EB8E311F14606AE504B3650DB704854CB68
                              Uniqueness

                              Uniqueness Score: -1.00%