Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INVOICE.exe

Overview

General Information

Sample Name:INVOICE.exe
Analysis ID:628640
MD5:9d58123708f80d79654d981a8b6d9924
SHA1:27317b8dbf347408865b071cd40f8c97d1522482
SHA256:b9066fabc2944828b98d6f22985038c59a5f6cfb1ae09b2f6b5c89bf87a43c44
Tags:exeNanoCore
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • INVOICE.exe (PID: 3004 cmdline: "C:\Users\user\Desktop\INVOICE.exe" MD5: 9D58123708F80D79654D981A8B6D9924)
    • INVOICE.exe (PID: 3488 cmdline: C:\Users\user\Desktop\INVOICE.exe MD5: 9D58123708F80D79654D981A8B6D9924)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.489522906.0000000002B4E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      00000000.00000002.495513796.0000000007300000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0x51d2f:$s1: file:///
      • 0x51c3f:$s2: {11111-22222-10009-11112}
      • 0x51cbf:$s3: {11111-22222-50001-00000}
      • 0x4f0a5:$s4: get_Module
      • 0x4f4eb:$s5: Reverse
      • 0x5156e:$s6: BlockCopy
      • 0x513b2:$s7: ReadByte
      • 0x51d41:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.INVOICE.exe.400000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      3.0.INVOICE.exe.400000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      3.0.INVOICE.exe.400000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        3.0.INVOICE.exe.400000.4.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
        • 0xfef5:$x1: NanoCore Client
        • 0xff05:$x1: NanoCore Client
        • 0x1014d:$x2: NanoCore.ClientPlugin
        • 0x1018d:$x3: NanoCore.ClientPluginHost
        • 0x10142:$i1: IClientApp
        • 0x10163:$i2: IClientData
        • 0x1016f:$i3: IClientNetwork
        • 0x1017e:$i4: IClientAppHost
        • 0x101a7:$i5: IClientDataHost
        • 0x101b7:$i6: IClientLoggingHost
        • 0x101ca:$i7: IClientNetworkHost
        • 0x101dd:$i8: IClientUIHost
        • 0x101eb:$i9: IClientNameObjectCollection
        • 0x10207:$i10: IClientReadOnlyNameObjectCollection
        • 0xff54:$s1: ClientPlugin
        • 0x10156:$s1: ClientPlugin
        • 0x1064a:$s2: EndPoint
        • 0x10653:$s3: IPAddress
        • 0x1065d:$s4: IPEndPoint
        • 0x12093:$s6: get_ClientSettings
        • 0x12637:$s7: get_Connected
        3.0.INVOICE.exe.400000.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        Click to see the 47 entries

        Sigma Signatures

        AV Detection

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INVOICE.exe, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INVOICE.exe, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INVOICE.exe, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality

        barindex
        Sigma detected: NanoCore
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\INVOICE.exe, ProcessId: 3488, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Snort Signatures

        Timestamp:192.168.2.5212.193.30.2044981511872816766 05/17/22-20:31:37.145576
        SID:2816766
        Source Port:49815
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044979411872816766 05/17/22-20:30:47.656373
        SID:2816766
        Source Port:49794
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:212.193.30.204192.168.2.51187498182841753 05/17/22-20:31:48.726428
        SID:2841753
        Source Port:1187
        Destination Port:49818
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:212.193.30.204192.168.2.51187498192841753 05/17/22-20:31:53.756641
        SID:2841753
        Source Port:1187
        Destination Port:49819
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044982211872816766 05/17/22-20:31:58.715420
        SID:2816766
        Source Port:49822
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980611872816766 05/17/22-20:31:10.821016
        SID:2816766
        Source Port:49806
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980311872025019 05/17/22-20:31:00.853122
        SID:2025019
        Source Port:49803
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044979711872025019 05/17/22-20:30:54.580308
        SID:2025019
        Source Port:49797
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980311872816718 05/17/22-20:31:01.197924
        SID:2816718
        Source Port:49803
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044978711872816766 05/17/22-20:30:40.618852
        SID:2816766
        Source Port:49787
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:212.193.30.204192.168.2.51187498222841753 05/17/22-20:32:03.661713
        SID:2841753
        Source Port:1187
        Destination Port:49822
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044979711872816766 05/17/22-20:30:55.725499
        SID:2816766
        Source Port:49797
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044978711872025019 05/17/22-20:30:38.957783
        SID:2025019
        Source Port:49787
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981611872025019 05/17/22-20:31:42.303773
        SID:2025019
        Source Port:49816
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:212.193.30.204192.168.2.51187498122841753 05/17/22-20:31:22.376109
        SID:2841753
        Source Port:1187
        Destination Port:49812
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980611872025019 05/17/22-20:31:07.938867
        SID:2025019
        Source Port:49806
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980911872816766 05/17/22-20:31:17.197289
        SID:2816766
        Source Port:49809
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044978111872025019 05/17/22-20:30:31.001024
        SID:2025019
        Source Port:49781
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980911872025019 05/17/22-20:31:15.942780
        SID:2025019
        Source Port:49809
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981211872025019 05/17/22-20:31:22.345784
        SID:2025019
        Source Port:49812
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981911872025019 05/17/22-20:31:53.726213
        SID:2025019
        Source Port:49819
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044982211872025019 05/17/22-20:31:58.625380
        SID:2025019
        Source Port:49822
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044979411872025019 05/17/22-20:30:46.018194
        SID:2025019
        Source Port:49794
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981511872025019 05/17/22-20:31:36.233314
        SID:2025019
        Source Port:49815
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981611872816766 05/17/22-20:31:43.265162
        SID:2816766
        Source Port:49816
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044977211872816766 05/17/22-20:30:24.595254
        SID:2816766
        Source Port:49772
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981311872025019 05/17/22-20:31:29.263030
        SID:2025019
        Source Port:49813
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981811872025019 05/17/22-20:31:48.698744
        SID:2025019
        Source Port:49818
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044981311872816766 05/17/22-20:31:31.058415
        SID:2816766
        Source Port:49813
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044977211872025019 05/17/22-20:30:22.925084
        SID:2025019
        Source Port:49772
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044978111872816766 05/17/22-20:30:33.613252
        SID:2816766
        Source Port:49781
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:212.193.30.204192.168.2.51187497942810290 05/17/22-20:30:47.256191
        SID:2810290
        Source Port:1187
        Destination Port:49794
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.5212.193.30.2044980311872816766 05/17/22-20:31:02.293623
        SID:2816766
        Source Port:49803
        Destination Port:1187
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 3.0.INVOICE.exe.400000.6.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for submitted file
        Source: INVOICE.exeReversingLabs: Detection: 26%
        Antivirus detection for URL or domain
        Source: deranano2.ddns.netAvira URL Cloud: Label: malware
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTR
        Machine Learning detection for sample
        Source: INVOICE.exeJoe Sandbox ML: detected
        Source: 3.0.INVOICE.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.INVOICE.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.INVOICE.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.INVOICE.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.0.INVOICE.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: INVOICE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: INVOICE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\OZaAdhaHIy\src\obj\Debug\IObjectRefere.pdb source: INVOICE.exe
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\OZaAdhaHIy\src\obj\Debug\IObjectRefere.pdb, source: INVOICE.exe

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49772 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49772 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49781 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49781 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49787 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49787 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49794 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49794 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 212.193.30.204:1187 -> 192.168.2.5:49794
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49797 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49797 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49803 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49803 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.5:49803 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49806 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49806 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49809 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49809 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49812 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.5:49812
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49813 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49813 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49815 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49815 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49816 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49816 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49818 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.5:49818
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49819 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.5:49819
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49822 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49822 -> 212.193.30.204:1187
        Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.5:49822
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: deranano2.ddns.net
        Uses dynamic DNS services
        Source: unknownDNS query: name: deranano2.ddns.net
        Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
        Source: Joe Sandbox ViewIP Address: 212.193.30.204 212.193.30.204
        Source: global trafficTCP traffic: 192.168.2.5:49772 -> 212.193.30.204:1187
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: INVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: INVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdiao2
        Source: INVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comiona
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownDNS traffic detected: queries for: deranano2.ddns.net
        Source: INVOICE.exe, 00000000.00000002.486049973.0000000000BBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud

        barindex
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.7300000.11.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.7300000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.495513796.0000000007300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
        Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: INVOICE.exe
        Source: INVOICE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.7300000.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.7300000.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
        Source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.495513796.0000000007300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
        Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_009AE6F00_2_009AE6F0
        Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_009AC2C40_2_009AC2C4
        Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_009AE6E00_2_009AE6E0
        Source: INVOICE.exe, 00000000.00000000.433423234.0000000000470000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIObjectRefere.exe@ vs INVOICE.exe
        Source: INVOICE.exe, 00000000.00000002.495513796.0000000007300000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs INVOICE.exe
        Source: INVOICE.exe, 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs INVOICE.exe
        Source: INVOICE.exe, 00000000.00000002.486049973.0000000000BBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INVOICE.exe
        Source: INVOICE.exe, 00000003.00000000.478773352.0000000000BE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIObjectRefere.exe@ vs INVOICE.exe
        Source: INVOICE.exeBinary or memory string: OriginalFilenameIObjectRefere.exe@ vs INVOICE.exe
        Source: INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: INVOICE.exeReversingLabs: Detection: 26%
        Source: C:\Users\user\Desktop\INVOICE.exeFile read: C:\Users\user\Desktop\INVOICE.exeJump to behavior
        Source: INVOICE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\INVOICE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\INVOICE.exe "C:\Users\user\Desktop\INVOICE.exe"
        Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe C:\Users\user\Desktop\INVOICE.exe
        Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe C:\Users\user\Desktop\INVOICE.exeJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@3/5@15/2
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fe56abb4-cb76-44f1-89b4-7bb11730ab9d}
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\INVOICE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: INVOICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: INVOICE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: INVOICE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\OZaAdhaHIy\src\obj\Debug\IObjectRefere.pdb source: INVOICE.exe
        Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\OZaAdhaHIy\src\obj\Debug\IObjectRefere.pdb, source: INVOICE.exe

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: INVOICE.exe, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.INVOICE.exe.3d0000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.INVOICE.exe.3d0000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.7.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.13.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.1.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.11.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.3.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.5.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.2.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.b40000.9.unpack, TemporalToolkit/frmMain.cs.Net Code: CspKey System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        .NET source code contains method to dynamically call methods (often used by packers)
        Source: INVOICE.exe, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 0.2.INVOICE.exe.3d0000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 0.0.INVOICE.exe.3d0000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.7.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.13.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.1.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.11.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.3.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.5.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.0.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.2.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: 3.0.INVOICE.exe.b40000.9.unpack, TemporalToolkit/frmMain.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "466F726D61744C69746572", "455330364859", "TemporalToolkit" } }, null, null)
        Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_009A7B71 pushad ; retf 0_2_009A7B7D
        Source: initial sampleStatic PE information: section name: .text entropy: 7.94289795658
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.INVOICE.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.INVOICE.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.INVOICE.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.0.INVOICE.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 3.0.INVOICE.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Users\user\Desktop\INVOICE.exeFile opened: C:\Users\user\Desktop\INVOICE.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: 00000000.00000002.489522906.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: INVOICE.exe, 00000000.00000002.489522906.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: INVOICE.exe, 00000000.00000002.489522906.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\INVOICE.exe TID: 6104Thread sleep time: -45733s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exe TID: 6408Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exe TID: 3360Thread sleep time: -17524406870024063s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeWindow / User API: threadDelayed 7966Jump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeWindow / User API: threadDelayed 1254Jump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeWindow / User API: foregroundWindowGot 767Jump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeWindow / User API: foregroundWindowGot 674Jump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 45733Jump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
        Source: INVOICE.exe, 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\INVOICE.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\INVOICE.exeMemory written: C:\Users\user\Desktop\INVOICE.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeProcess created: C:\Users\user\Desktop\INVOICE.exe C:\Users\user\Desktop\INVOICE.exeJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Users\user\Desktop\INVOICE.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Users\user\Desktop\INVOICE.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\INVOICE.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information

        barindex
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Detected Nanocore Rat
        Source: INVOICE.exe, 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: INVOICE.exe, 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RAT
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.12.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.0.INVOICE.exe.400000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a394f0.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.3a06ad0.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.INVOICE.exe.39cb2b0.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3004, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: INVOICE.exe PID: 3488, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Windows Management Instrumentation        		Path Interception111
        Process Injection        		1
        Masquerading        		1
        Input Capture        		1
        Query Registry        		Remote Services1
        Input Capture        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Disable or Modify Tools        		LSASS Memory111
        Security Software Discovery        		Remote Desktop Protocol11
        Archive Collected Data        		Exfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
        Virtualization/Sandbox Evasion        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
        Remote Access Software        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
        Process Injection        		NTDS21
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput CaptureScheduled Transfer1
        Non-Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Deobfuscate/Decode Files or Information        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingData Transfer Size Limits21
        Application Layer Protocol        		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Hidden Files and Directories        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items2
        Obfuscated Files or Information        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job23
        Software Packing        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        INVOICE.exe27%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        INVOICE.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.0.INVOICE.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.INVOICE.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.INVOICE.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.INVOICE.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        3.0.INVOICE.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.fontbureau.comiona0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        deranano2.ddns.net100%Avira URL Cloudmalware
        http://www.fontbureau.comdiao20%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        deranano2.ddns.net
        		212.193.30.204
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          true
          • Avira URL Cloud: safe
          		low
          deranano2.ddns.nettrue
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.fontbureau.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.com/designersGINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.tiro.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.goodfont.co.krINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comaINVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comionaINVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cTheINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comdiao2INVOICE.exe, 00000000.00000002.484971382.00000000005C7000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8INVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fonts.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sakkal.comINVOICE.exe, 00000000.00000002.493957274.0000000006912000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              212.193.30.204
                              		deranano2.ddns.netRussian Federation
                              		57844SPD-NETTRtrue

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:628640
                              Start date and time: 17/05/202220:28:392022-05-17 20:28:39 +02:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 9m 16s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:INVOICE.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:18
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@3/5@15/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:
                              • Successful, ratio: 0.1% (good quality ratio 0.1%)
                              • Quality average: 42.3%
                              • Quality standard deviation: 32.8%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 18
                              • Number of non-executed functions: 1
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Adjust boot time
                              • Enable AMSI

                              Warnings

                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                              • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 20.223.24.244
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • VT rate limit hit for: INVOICE.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              20:30:06API Interceptor795x Sleep call for process: INVOICE.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              212.193.30.204INQUIRY.exeGet hashmaliciousBrowse
                                Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exeGet hashmaliciousBrowse
                                  MARIAM HONAINE'S CV.exeGet hashmaliciousBrowse
                                    QUOTATION.exeGet hashmaliciousBrowse
                                      2020574185.exeGet hashmaliciousBrowse
                                        ORDER.exeGet hashmaliciousBrowse
                                          POP.exeGet hashmaliciousBrowse
                                            Bill Of Lading.exeGet hashmaliciousBrowse
                                              900010225 CON.LUMES JAIPUR 05.02.2022.exeGet hashmaliciousBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                deranano2.ddns.netINQUIRY.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                MARIAM HONAINE'S CV.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                QUOTATION.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                2020574185.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                ORDER.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                POP.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                Bill Of Lading.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                900010225 CON.LUMES JAIPUR 05.02.2022.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                FYI.exeGet hashmaliciousBrowse
                                                • 194.31.98.18
                                                FYI.exeGet hashmaliciousBrowse
                                                • 194.31.98.18
                                                VOLGOIL LLC SOFT CORPORATE OFFER VESSEL TO TANK.exeGet hashmaliciousBrowse
                                                • 194.31.98.18
                                                product specification and detailspdf.exeGet hashmaliciousBrowse
                                                • 194.31.98.18

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                SPD-NETTRSetup.exeGet hashmaliciousBrowse
                                                • 212.193.30.29
                                                INQUIRY.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                E3387D3F62414FB262DA20E54D5775A647443B88CD8A0.exeGet hashmaliciousBrowse
                                                • 212.193.30.29
                                                E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exeGet hashmaliciousBrowse
                                                • 212.193.30.29
                                                Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                New Purchase Order 4522028497676.xlsxGet hashmaliciousBrowse
                                                • 212.193.30.214
                                                MARIAM HONAINE'S CV.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                QUOTATION.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                Resetter.exeGet hashmaliciousBrowse
                                                • 212.193.30.29
                                                SecuriteInfo.com.Trojan.PackedNET.331.26146.exeGet hashmaliciousBrowse
                                                • 212.193.30.38
                                                hdk8Z67C7x.exeGet hashmaliciousBrowse
                                                • 212.193.30.29
                                                CHANGE OF ACCOUNT RUSH TO DESK.exeGet hashmaliciousBrowse
                                                • 212.193.30.101
                                                2020574185.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                ORDER.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                ckc238HATk.exeGet hashmaliciousBrowse
                                                • 212.193.30.45
                                                ckc238HATk.exeGet hashmaliciousBrowse
                                                • 212.193.30.45
                                                TjDCLiM89x.exeGet hashmaliciousBrowse
                                                • 212.193.30.45
                                                POP.exeGet hashmaliciousBrowse
                                                • 212.193.30.204
                                                AFAC7896CF21983233C533EEAEC870610856969D98218.exeGet hashmaliciousBrowse
                                                • 212.193.30.29
                                                E4FB57012D7A31E6511C4BAC952323093E8BB51F13884.exeGet hashmaliciousBrowse
                                                • 212.193.30.29

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\INVOICE.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1308
                                                Entropy (8bit):5.345811588615766
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
                                                MD5:EA78C102145ED608EF0E407B978AF339
                                                SHA1:66C9179ED9675B9271A97AB1FC878077E09AB731
                                                SHA-256:8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
                                                SHA-512:8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

                                                Download File
                                                Process:C:\Users\user\Desktop\INVOICE.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):232
                                                Entropy (8bit):7.024371743172393
                                                Encrypted:false
                                                SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                                Download File
                                                Process:C:\Users\user\Desktop\INVOICE.exe
                                                File Type:Non-ISO extended-ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):8
                                                Entropy (8bit):3.0
                                                Encrypted:false
                                                SSDEEP:3:q8l9tn:q8Fn
                                                MD5:A8BADF4E8D986108589909B1AE02C207
                                                SHA1:80D375744D4B880EE40956B61AB5E7E3B6C696FE
                                                SHA-256:B9FE1CD4CAEDEADEAE92F8C70EDA0B0DA99FDCC0DC788157D7B28AE6799AA06F
                                                SHA-512:5F1C1FB140D9BA7FF5FD373742A116237C8665ED483FE4950D41F5AB729711162223CAF840879E52E03B51949DB7608039C839EE77FD0A8DD10C2723F0406336
                                                Malicious:true
                                                Reputation:low
                                                Preview:E.Y.~8.H

                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

                                                Download File
                                                Process:C:\Users\user\Desktop\INVOICE.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):40
                                                Entropy (8bit):5.153055907333276
                                                Encrypted:false
                                                SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                MD5:4E5E92E2369688041CC82EF9650EDED2
                                                SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview:9iH...}Z.4..f.~a........~.~.......3.U.

                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

                                                Download File
                                                Process:C:\Users\user\Desktop\INVOICE.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):327432
                                                Entropy (8bit):7.99938831605763
                                                Encrypted:true
                                                SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                Malicious:false
                                                Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.935606119244415
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:INVOICE.exe
                                                File size:656896
                                                MD5:9d58123708f80d79654d981a8b6d9924
                                                SHA1:27317b8dbf347408865b071cd40f8c97d1522482
                                                SHA256:b9066fabc2944828b98d6f22985038c59a5f6cfb1ae09b2f6b5c89bf87a43c44
                                                SHA512:f6b5cfbe894549644337e605513e3d8d517c16a167141eb693033d95ff5c9b95f6a8a72090605dd9817827a5453abc828d7a1ec4088afe019151cbddeed8a2b8
                                                SSDEEP:12288:nsWyvNVQClWSEqOPhn/qu09/c3OwKjGes84ChuNtrzMnrj3NcMs0Tve:nsWI7WSEv/ql/mOjZsiuN5z6sQ
                                                TLSH:29D4120A709EEB3BC97CB7F95441525013B1B22B3457E32C9ECAE0C75A9BF406685B17
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...og.b..............0......@......V.... ........@.. .......................`............@................................

                                                File Icon

                                                Icon Hash:64e4d2eeacd6d819

                                                Static PE Info

                                                General

                                                Entrypoint:0x49e356
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x6283676F [Tue May 17 09:14:23 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add dword ptr [eax], eax
                                                add byte ptr [eax], al
                                                add al, byte ptr [eax]
                                                add byte ptr [eax], al
                                                add eax, dword ptr [eax]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                pop ds
                                                add byte ptr [eax], al
                                                add bh, bh

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9e3040x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x3c74.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x9e1cc0x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x9c39c0x9c400False0.9418953125data7.94289795658IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0xa00000x3c740x3e00False0.92244203629data7.6910187968IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xa40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0xa00c80x3832PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                RT_GROUP_ICON0xa390c0x14data
                                                RT_VERSION0xa39300x340data

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightChandler's 2022 (C)
                                                Assembly Version1.1.0.0
                                                InternalNameIObjectRefere.exe
                                                FileVersion1.1.0.0
                                                CompanyNameChandler's
                                                LegalTrademarks
                                                Comments
                                                ProductNameTemporalToolkit
                                                ProductVersion1.1.0.0
                                                FileDescription
                                                OriginalFilenameIObjectRefere.exe

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                192.168.2.5212.193.30.2044981511872816766 05/17/22-20:31:37.145576TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498151187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044979411872816766 05/17/22-20:30:47.656373TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497941187192.168.2.5212.193.30.204
                                                212.193.30.204192.168.2.51187498182841753 05/17/22-20:31:48.726428TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749818212.193.30.204192.168.2.5
                                                212.193.30.204192.168.2.51187498192841753 05/17/22-20:31:53.756641TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749819212.193.30.204192.168.2.5
                                                192.168.2.5212.193.30.2044982211872816766 05/17/22-20:31:58.715420TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498221187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044980611872816766 05/17/22-20:31:10.821016TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498061187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044980311872025019 05/17/22-20:31:00.853122TCP2025019ET TROJAN Possible NanoCore C2 60B498031187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044979711872025019 05/17/22-20:30:54.580308TCP2025019ET TROJAN Possible NanoCore C2 60B497971187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044980311872816718 05/17/22-20:31:01.197924TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon498031187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044978711872816766 05/17/22-20:30:40.618852TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497871187192.168.2.5212.193.30.204
                                                212.193.30.204192.168.2.51187498222841753 05/17/22-20:32:03.661713TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749822212.193.30.204192.168.2.5
                                                192.168.2.5212.193.30.2044979711872816766 05/17/22-20:30:55.725499TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497971187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044978711872025019 05/17/22-20:30:38.957783TCP2025019ET TROJAN Possible NanoCore C2 60B497871187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044981611872025019 05/17/22-20:31:42.303773TCP2025019ET TROJAN Possible NanoCore C2 60B498161187192.168.2.5212.193.30.204
                                                212.193.30.204192.168.2.51187498122841753 05/17/22-20:31:22.376109TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749812212.193.30.204192.168.2.5
                                                192.168.2.5212.193.30.2044980611872025019 05/17/22-20:31:07.938867TCP2025019ET TROJAN Possible NanoCore C2 60B498061187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044980911872816766 05/17/22-20:31:17.197289TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498091187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044978111872025019 05/17/22-20:30:31.001024TCP2025019ET TROJAN Possible NanoCore C2 60B497811187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044980911872025019 05/17/22-20:31:15.942780TCP2025019ET TROJAN Possible NanoCore C2 60B498091187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044981211872025019 05/17/22-20:31:22.345784TCP2025019ET TROJAN Possible NanoCore C2 60B498121187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044981911872025019 05/17/22-20:31:53.726213TCP2025019ET TROJAN Possible NanoCore C2 60B498191187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044982211872025019 05/17/22-20:31:58.625380TCP2025019ET TROJAN Possible NanoCore C2 60B498221187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044979411872025019 05/17/22-20:30:46.018194TCP2025019ET TROJAN Possible NanoCore C2 60B497941187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044981511872025019 05/17/22-20:31:36.233314TCP2025019ET TROJAN Possible NanoCore C2 60B498151187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044981611872816766 05/17/22-20:31:43.265162TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498161187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044977211872816766 05/17/22-20:30:24.595254TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497721187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044981311872025019 05/17/22-20:31:29.263030TCP2025019ET TROJAN Possible NanoCore C2 60B498131187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044981811872025019 05/17/22-20:31:48.698744TCP2025019ET TROJAN Possible NanoCore C2 60B498181187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044981311872816766 05/17/22-20:31:31.058415TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498131187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044977211872025019 05/17/22-20:30:22.925084TCP2025019ET TROJAN Possible NanoCore C2 60B497721187192.168.2.5212.193.30.204
                                                192.168.2.5212.193.30.2044978111872816766 05/17/22-20:30:33.613252TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497811187192.168.2.5212.193.30.204
                                                212.193.30.204192.168.2.51187497942810290 05/17/22-20:30:47.256191TCP2810290ETPRO TROJAN NanoCore RAT Keepalive Response 1118749794212.193.30.204192.168.2.5
                                                192.168.2.5212.193.30.2044980311872816766 05/17/22-20:31:02.293623TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498031187192.168.2.5212.193.30.204

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 17, 2022 20:30:22.785531044 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:22.812949896 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:22.813136101 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:22.925084114 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:22.968403101 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:22.978699923 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.006140947 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.148186922 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.257045984 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.332336903 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.373541117 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.373573065 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.373589993 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.373610973 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.373697042 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.400897980 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.400927067 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.400942087 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.400959015 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.400975943 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.400989056 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.400991917 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.401010990 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.401016951 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.401030064 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.401040077 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.401334047 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.427997112 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428025007 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428041935 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428057909 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428075075 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428091049 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428100109 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.428107977 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428128004 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428144932 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428148985 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.428163052 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428167105 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.428180933 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428198099 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428214073 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.428215027 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428234100 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428236008 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.428251982 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428272009 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.428286076 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.428317070 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.455166101 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455198050 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455214977 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455231905 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455249071 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455265045 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455281973 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455298901 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455317020 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455332994 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455348969 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455365896 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455383062 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455399036 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455415964 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455431938 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455450058 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455467939 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455485106 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455502033 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455518961 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455534935 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455550909 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455566883 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455584049 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455601931 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455617905 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455634117 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455650091 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455666065 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455682039 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455698967 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.455773115 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.455830097 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.483926058 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.483972073 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484000921 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484030008 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484041929 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484057903 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484086990 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484095097 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484117031 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484143019 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484144926 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484170914 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484198093 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484224081 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484225988 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484257936 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484287024 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484287977 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484306097 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484321117 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484349966 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484366894 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484380007 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484407902 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484435081 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484436989 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484464884 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484486103 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484515905 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484544039 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484560013 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484571934 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484600067 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484627008 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484652996 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484679937 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484687090 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484693050 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484707117 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484735966 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484752893 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484764099 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484790087 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484791994 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484817982 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484833002 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484847069 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484874010 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484900951 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484910965 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484930992 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484956980 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.484961033 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.484989882 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.485016108 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.485019922 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.485069036 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.513874054 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.513926029 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.513961077 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.513993025 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514003992 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514024973 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514039040 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514060974 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514098883 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514106989 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514134884 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514166117 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514183998 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514199018 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514230013 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514245033 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514262915 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514296055 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514307976 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514327049 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514358997 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514389992 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514401913 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514420986 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514431000 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514452934 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514482975 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514513969 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514527082 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514545918 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514554024 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514576912 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514607906 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514621019 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514638901 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514669895 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514699936 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514700890 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514733076 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514748096 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514766932 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514799118 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514827967 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514858961 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514859915 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514892101 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514897108 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514925957 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514955997 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.514956951 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.514988899 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515003920 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.515021086 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515053034 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515081882 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515099049 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.515113115 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515126944 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.515145063 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515175104 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515201092 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.515208960 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515240908 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515264034 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.515273094 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515305996 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515336037 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515356064 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.515367031 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515396118 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.515398979 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515424013 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.515487909 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.542787075 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.542829037 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.542855024 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.542881012 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.542907953 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.542910099 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.542937040 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.542963028 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.542989016 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543009043 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543018103 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543045998 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543045998 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543070078 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543072939 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543100119 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543122053 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543127060 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543154001 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543179989 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543183088 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543206930 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543236017 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543256044 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543263912 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543291092 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543293953 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543318987 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543330908 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543344975 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543365955 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543386936 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543412924 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543445110 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543472052 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543498039 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543504000 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543524027 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543543100 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543551922 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543579102 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543601036 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543606997 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543632030 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543656111 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543661118 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543684959 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543705940 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543711901 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543740034 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543765068 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543766975 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543796062 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543822050 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543843985 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543847084 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543874979 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543876886 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543900967 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543915033 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543930054 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543956041 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.543978930 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.543982983 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.544009924 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.544038057 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.544054031 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.544064999 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.544090033 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.544091940 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.544151068 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.557316065 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571146011 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571183920 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571211100 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571234941 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571259022 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571290970 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571306944 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571319103 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571338892 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571345091 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571368933 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571369886 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571398020 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571420908 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571424961 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571446896 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571470022 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571470976 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571495056 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571499109 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571523905 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571527958 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571548939 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571552992 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571576118 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571578026 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571600914 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571603060 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571623087 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571630955 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571650028 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571657896 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571672916 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571683884 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571707010 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571712971 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571734905 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571741104 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571758986 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571767092 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571779013 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571793079 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571804047 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571818113 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571842909 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571866035 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571866035 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571891069 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571913958 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571914911 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571938038 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571943998 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571968079 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571974039 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.571991920 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.571995974 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572016954 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572021008 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572041035 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572043896 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572066069 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572066069 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572091103 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572091103 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572110891 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572117090 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572139978 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572141886 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572160959 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572168112 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572191000 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572196007 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572211981 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572222948 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572246075 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572247982 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572268009 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572274923 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572293997 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572302103 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572318077 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572329044 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572341919 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572355986 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572380066 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572386980 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572405100 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572424889 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572428942 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572455883 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572469950 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572498083 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572509050 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572525024 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572546959 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572547913 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572575092 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572581053 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572602034 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572604895 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572627068 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572627068 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572652102 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572653055 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572676897 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572676897 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572700977 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572704077 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572729111 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572730064 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572752953 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572756052 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572773933 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572782040 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572805882 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572808027 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572830915 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572833061 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572855949 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572859049 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572876930 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572885036 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572910070 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572912931 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572930098 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572936058 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572961092 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572962046 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.572984934 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.572988987 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.573010921 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.573015928 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:23.573035002 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.576066971 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:23.648452997 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:24.595253944 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:24.675786972 CEST118749772212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:25.702549934 CEST497721187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:30.973472118 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:31.000322104 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:31.000425100 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:31.001024008 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:31.040369034 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:31.087677956 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:31.115322113 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:31.242628098 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:32.705895901 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:32.785065889 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:33.033183098 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:33.114512920 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:33.210207939 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:33.344780922 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:33.374140024 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:33.445895910 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:33.524709940 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:33.613169909 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:33.613251925 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:33.640496969 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:33.640676975 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:33.667660952 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:33.724343061 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:33.807662010 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:33.900346041 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:33.988603115 CEST118749781212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:34.853998899 CEST497811187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:38.928461075 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:38.955382109 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:38.955519915 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:38.957782984 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:39.031105995 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:39.031416893 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:39.058638096 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:39.243350029 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:39.364984035 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:39.446218967 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:39.537947893 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:39.539191961 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:39.566519976 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:39.568675041 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:39.596421003 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:39.596554041 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:39.624238968 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:39.627079964 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:39.707190037 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:39.707294941 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:39.785178900 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:40.618851900 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:40.707083941 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:40.740156889 CEST118749787212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:40.852777004 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:41.627728939 CEST497871187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:45.989602089 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:46.017559052 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:46.017664909 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:46.018193960 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:46.062951088 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:46.063246965 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:46.092794895 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:46.243869066 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:46.669089079 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:46.753997087 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:46.940118074 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:47.019526005 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:47.158186913 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:47.173130989 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:47.200109959 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:47.201477051 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:47.228888035 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:47.228993893 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:47.256191015 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:47.353363037 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:47.448056936 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:47.537444115 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:47.656373024 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:47.738461018 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:48.867304087 CEST118749794212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:49.033351898 CEST497941187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:54.439984083 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:54.466758966 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:54.466871023 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:54.580307961 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:54.623544931 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:54.624237061 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:54.707056999 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:54.713177919 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:54.740719080 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:54.856982946 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:55.406984091 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:55.488275051 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:55.609306097 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:55.620387077 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:55.647325039 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:55.725498915 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:55.800785065 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:55.828900099 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:55.856297016 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:55.856496096 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:55.883578062 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:56.050003052 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:56.611305952 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:30:56.691374063 CEST118749797212.193.30.204192.168.2.5
                                                May 17, 2022 20:30:56.762713909 CEST497971187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:00.825278044 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:00.852384090 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:00.852520943 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:00.853121996 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:00.901124954 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:00.939074039 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:00.966968060 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:01.054677963 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:01.197923899 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:01.272089005 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:02.293622971 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:02.379009962 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:02.777918100 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:02.863513947 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:02.966264963 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:02.967183113 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:02.994442940 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:02.995435953 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:03.026613951 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:03.026741982 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:03.054507971 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:03.098640919 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:03.176356077 CEST118749803212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:03.212582111 CEST498031187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:07.843995094 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:07.871366024 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:07.871728897 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:07.938867092 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:07.996553898 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:08.055217028 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:08.061367989 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:08.091280937 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:08.149018049 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:08.673027039 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:08.753909111 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:08.924242973 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:09.004443884 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:09.120970964 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:09.164736986 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:09.191673994 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:09.258461952 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:10.084671974 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:10.160468102 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:10.160722017 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:10.255526066 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:10.255657911 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:10.288577080 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:10.294486046 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:10.321489096 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:10.461704969 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:10.821016073 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:10.910433054 CEST118749806212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:11.837671995 CEST498061187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:15.915348053 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:15.942078114 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:15.942174911 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:15.942780018 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:15.987961054 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:15.988236904 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:16.016691923 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:16.180938959 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:16.213356972 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:16.285320997 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:16.286289930 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:16.358405113 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:16.482204914 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:16.486344099 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:16.513977051 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:16.534451962 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:16.562484980 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:16.565464973 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:16.593081951 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:16.593226910 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:16.675723076 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:17.197288990 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:17.269531012 CEST118749809212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:18.213558912 CEST498091187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:22.316598892 CEST498121187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:22.344878912 CEST118749812212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:22.345087051 CEST498121187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:22.345783949 CEST498121187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:22.376108885 CEST118749812212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:22.540798903 CEST498121187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:22.567962885 CEST118749812212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:22.568779945 CEST498121187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:22.596875906 CEST118749812212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:22.728415012 CEST498121187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:23.169842005 CEST498121187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:23.199551105 CEST498121187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.235048056 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.262062073 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:29.262247086 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.263030052 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.301495075 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:29.301870108 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.329307079 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:29.478946924 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.540433884 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.628966093 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:29.760665894 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:29.761626005 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.788693905 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:29.789776087 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.817127943 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:29.817326069 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.844662905 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:29.844782114 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:29.925766945 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:30.060101032 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:30.144824982 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:31.058414936 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:31.144717932 CEST118749813212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:32.104521990 CEST498131187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.200284004 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.227314949 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:36.227447033 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.233314037 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.281426907 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:36.281765938 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.309005976 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:36.354530096 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.519583941 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.614123106 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:36.731735945 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:36.776392937 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.776694059 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.803522110 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:36.847160101 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.864373922 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.893294096 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:36.893687963 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:36.921416044 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:36.922624111 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:37.006705046 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:37.145576000 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:37.225070953 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:37.663141012 CEST118749815212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:37.714027882 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:38.167973042 CEST498151187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:42.267390013 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:42.302983999 CEST118749816212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:42.303093910 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:42.303772926 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:42.345303059 CEST118749816212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:42.353084087 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:42.380660057 CEST118749816212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:42.485896111 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:42.677195072 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:42.754911900 CEST118749816212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:42.892551899 CEST118749816212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:42.966373920 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:42.993793011 CEST118749816212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:43.063513041 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:43.091111898 CEST118749816212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:43.091265917 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:43.118614912 CEST118749816212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:43.249691010 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:43.265161991 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:43.354794979 CEST118749816212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:43.500284910 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:43.583009005 CEST118749816212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:44.379833937 CEST498161187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:48.668442011 CEST498181187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:48.697812080 CEST118749818212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:48.698007107 CEST498181187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:48.698744059 CEST498181187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:48.726428032 CEST118749818212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:48.793086052 CEST498181187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:48.820276976 CEST118749818212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:48.820792913 CEST498181187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:48.848088026 CEST118749818212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:48.980643988 CEST498181187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:49.290839911 CEST498181187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:49.379843950 CEST118749818212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:49.457415104 CEST498181187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:49.476788044 CEST118749818212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:49.476943970 CEST498181187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:53.698391914 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:53.725269079 CEST118749819212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:53.725383997 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:53.726212978 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:53.756640911 CEST118749819212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:53.871622086 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:53.899087906 CEST118749819212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:53.911351919 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:53.938688993 CEST118749819212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:54.074779034 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:54.128034115 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:54.207813025 CEST118749819212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:54.320280075 CEST118749819212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:54.321135998 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:54.347985029 CEST118749819212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:54.349366903 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:54.376615047 CEST118749819212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:54.378380060 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:54.405714989 CEST118749819212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:54.406624079 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:54.489118099 CEST118749819212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:54.528448105 CEST498191187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:58.597389936 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:58.624774933 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:58.624867916 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:58.625380039 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:58.667870998 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:58.676132917 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:58.704694033 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:58.715420008 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:58.786161900 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:58.904809952 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:58.989326954 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:59.106679916 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:59.106991053 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:59.136111021 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:59.137528896 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:59.165231943 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:59.165344954 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:59.192903042 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:31:59.193013906 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:31:59.271174908 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:32:02.036811113 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:32:02.091619015 CEST498221187192.168.2.5212.193.30.204
                                                May 17, 2022 20:32:03.661712885 CEST118749822212.193.30.204192.168.2.5
                                                May 17, 2022 20:32:03.795284033 CEST498221187192.168.2.5212.193.30.204

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 17, 2022 20:30:22.744570971 CEST5432253192.168.2.58.8.8.8
                                                May 17, 2022 20:30:22.764415979 CEST53543228.8.8.8192.168.2.5
                                                May 17, 2022 20:30:30.888555050 CEST6318753192.168.2.58.8.8.8
                                                May 17, 2022 20:30:30.910044909 CEST53631878.8.8.8192.168.2.5
                                                May 17, 2022 20:30:38.901221037 CEST6194153192.168.2.58.8.8.8
                                                May 17, 2022 20:30:38.922380924 CEST53619418.8.8.8192.168.2.5
                                                May 17, 2022 20:30:45.969238997 CEST6324153192.168.2.58.8.8.8
                                                May 17, 2022 20:30:45.988259077 CEST53632418.8.8.8192.168.2.5
                                                May 17, 2022 20:30:54.377773046 CEST5780953192.168.2.58.8.8.8
                                                May 17, 2022 20:30:54.399000883 CEST53578098.8.8.8192.168.2.5
                                                May 17, 2022 20:31:00.802875042 CEST6268053192.168.2.58.8.8.8
                                                May 17, 2022 20:31:00.823893070 CEST53626808.8.8.8192.168.2.5
                                                May 17, 2022 20:31:07.682859898 CEST4991253192.168.2.58.8.8.8
                                                May 17, 2022 20:31:07.700628042 CEST53499128.8.8.8192.168.2.5
                                                May 17, 2022 20:31:15.894793987 CEST5799053192.168.2.58.8.8.8
                                                May 17, 2022 20:31:15.914181948 CEST53579908.8.8.8192.168.2.5
                                                May 17, 2022 20:31:22.294926882 CEST5446353192.168.2.58.8.8.8
                                                May 17, 2022 20:31:22.315357924 CEST53544638.8.8.8192.168.2.5
                                                May 17, 2022 20:31:29.212796926 CEST6371853192.168.2.58.8.8.8
                                                May 17, 2022 20:31:29.232027054 CEST53637188.8.8.8192.168.2.5
                                                May 17, 2022 20:31:36.179580927 CEST6112653192.168.2.58.8.8.8
                                                May 17, 2022 20:31:36.196830034 CEST53611268.8.8.8192.168.2.5
                                                May 17, 2022 20:31:42.240658998 CEST5415253192.168.2.58.8.8.8
                                                May 17, 2022 20:31:42.261655092 CEST53541528.8.8.8192.168.2.5
                                                May 17, 2022 20:31:48.642363071 CEST5319453192.168.2.58.8.8.8
                                                May 17, 2022 20:31:48.660270929 CEST53531948.8.8.8192.168.2.5
                                                May 17, 2022 20:31:53.676034927 CEST5039353192.168.2.58.8.8.8
                                                May 17, 2022 20:31:53.695802927 CEST53503938.8.8.8192.168.2.5
                                                May 17, 2022 20:31:58.573787928 CEST6145853192.168.2.58.8.8.8
                                                May 17, 2022 20:31:58.593518019 CEST53614588.8.8.8192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                May 17, 2022 20:30:22.744570971 CEST192.168.2.58.8.8.80x262eStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:30:30.888555050 CEST192.168.2.58.8.8.80xff17Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:30:38.901221037 CEST192.168.2.58.8.8.80x2997Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:30:45.969238997 CEST192.168.2.58.8.8.80xb8efStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:30:54.377773046 CEST192.168.2.58.8.8.80x40ddStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:31:00.802875042 CEST192.168.2.58.8.8.80xd7d7Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:31:07.682859898 CEST192.168.2.58.8.8.80xb849Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:31:15.894793987 CEST192.168.2.58.8.8.80x9ea0Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:31:22.294926882 CEST192.168.2.58.8.8.80xf974Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:31:29.212796926 CEST192.168.2.58.8.8.80xf8e0Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:31:36.179580927 CEST192.168.2.58.8.8.80xd91bStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:31:42.240658998 CEST192.168.2.58.8.8.80xf075Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:31:48.642363071 CEST192.168.2.58.8.8.80x4878Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:31:53.676034927 CEST192.168.2.58.8.8.80xa5d3Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                                                May 17, 2022 20:31:58.573787928 CEST192.168.2.58.8.8.80xe914Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                May 17, 2022 20:30:22.764415979 CEST8.8.8.8192.168.2.50x262eNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:30:30.910044909 CEST8.8.8.8192.168.2.50xff17No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:30:38.922380924 CEST8.8.8.8192.168.2.50x2997No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:30:45.988259077 CEST8.8.8.8192.168.2.50xb8efNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:30:54.399000883 CEST8.8.8.8192.168.2.50x40ddNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:31:00.823893070 CEST8.8.8.8192.168.2.50xd7d7No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:31:07.700628042 CEST8.8.8.8192.168.2.50xb849No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:31:15.914181948 CEST8.8.8.8192.168.2.50x9ea0No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:31:22.315357924 CEST8.8.8.8192.168.2.50xf974No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:31:29.232027054 CEST8.8.8.8192.168.2.50xf8e0No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:31:36.196830034 CEST8.8.8.8192.168.2.50xd91bNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:31:42.261655092 CEST8.8.8.8192.168.2.50xf075No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:31:48.660270929 CEST8.8.8.8192.168.2.50x4878No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:31:53.695802927 CEST8.8.8.8192.168.2.50xa5d3No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                                                May 17, 2022 20:31:58.593518019 CEST8.8.8.8192.168.2.50xe914No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:20:29:53
                                                Start date:17/05/2022
                                                Path:C:\Users\user\Desktop\INVOICE.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\INVOICE.exe"
                                                Imagebase:0x3d0000
                                                File size:656896 bytes
                                                MD5 hash:9D58123708F80D79654D981A8B6D9924
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.489522906.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.495513796.0000000007300000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.487374946.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.489936626.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                General

                                                Target ID:3
                                                Start time:20:30:14
                                                Start date:17/05/2022
                                                Path:C:\Users\user\Desktop\INVOICE.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\INVOICE.exe
                                                Imagebase:0xb40000
                                                File size:656896 bytes
                                                MD5 hash:9D58123708F80D79654D981A8B6D9924
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.480652507.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.482727017.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.481241777.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000003.00000000.481993542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:13.3%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:119
                                                  Total number of Limit Nodes:10
                                                  execution_graph 14381 9a40d0 14382 9a40e2 14381->14382 14383 9a40ee 14382->14383 14387 9a41e0 14382->14387 14392 9a3868 14383->14392 14385 9a410d 14388 9a4205 14387->14388 14396 9a42d0 14388->14396 14400 9a42e0 14388->14400 14393 9a3873 14392->14393 14408 9a586c 14393->14408 14395 9a6a31 14395->14385 14397 9a42e0 14396->14397 14398 9a43e4 14397->14398 14404 9a38a8 14397->14404 14398->14398 14402 9a4307 14400->14402 14401 9a43e4 14401->14401 14402->14401 14403 9a38a8 CreateActCtxA 14402->14403 14403->14401 14405 9a5370 CreateActCtxA 14404->14405 14407 9a5433 14405->14407 14409 9a5877 14408->14409 14412 9a588c 14409->14412 14411 9a6bc5 14411->14395 14413 9a5897 14412->14413 14416 9a58bc 14413->14416 14415 9a6ca2 14415->14411 14417 9a58c7 14416->14417 14420 9a58ec 14417->14420 14419 9a6da2 14419->14415 14421 9a58f7 14420->14421 14423 9a74be 14421->14423 14428 9a941f 14421->14428 14432 9a9430 14421->14432 14422 9a74fc 14422->14419 14423->14422 14436 9ab538 14423->14436 14441 9ab548 14423->14441 14446 9a9528 14428->14446 14455 9a9519 14428->14455 14429 9a943f 14429->14423 14433 9a943f 14432->14433 14434 9a9528 3 API calls 14432->14434 14435 9a9519 3 API calls 14432->14435 14433->14423 14434->14433 14435->14433 14437 9ab569 14436->14437 14438 9ab58d 14437->14438 14482 9ab6f8 14437->14482 14486 9ab6e7 14437->14486 14438->14422 14442 9ab569 14441->14442 14443 9ab6f8 4 API calls 14442->14443 14444 9ab58d 14442->14444 14445 9ab6e7 4 API calls 14442->14445 14443->14444 14444->14422 14445->14444 14447 9a953b 14446->14447 14464 9a7214 14446->14464 14449 9a9553 14447->14449 14468 9a97b0 14447->14468 14473 9a97a2 14447->14473 14449->14429 14450 9a954b 14450->14449 14451 9a9750 GetModuleHandleW 14450->14451 14452 9a977d 14451->14452 14452->14429 14456 9a7214 GetModuleHandleW 14455->14456 14457 9a953b 14456->14457 14458 9a9553 14457->14458 14462 9a97a2 2 API calls 14457->14462 14463 9a97b0 2 API calls 14457->14463 14458->14429 14459 9a954b 14459->14458 14460 9a9750 GetModuleHandleW 14459->14460 14461 9a977d 14460->14461 14461->14429 14462->14459 14463->14459 14465 9a9708 GetModuleHandleW 14464->14465 14467 9a977d 14465->14467 14467->14447 14469 9a7214 GetModuleHandleW 14468->14469 14470 9a97c4 14469->14470 14472 9a97e9 14470->14472 14478 9a8858 14470->14478 14472->14450 14474 9a7214 GetModuleHandleW 14473->14474 14475 9a97c4 14473->14475 14474->14475 14476 9a97e9 14475->14476 14477 9a8858 LoadLibraryExW 14475->14477 14476->14450 14477->14476 14479 9a9990 LoadLibraryExW 14478->14479 14481 9a9a09 14479->14481 14481->14472 14483 9ab705 14482->14483 14484 9ab73f 14483->14484 14490 9aa1dc 14483->14490 14484->14438 14487 9ab705 14486->14487 14488 9ab73f 14487->14488 14489 9aa1dc 4 API calls 14487->14489 14488->14438 14489->14488 14491 9aa1e7 14490->14491 14493 9ac438 14491->14493 14494 9abff8 14491->14494 14493->14493 14495 9ac003 14494->14495 14496 9a58ec 4 API calls 14495->14496 14497 9ac4a7 14495->14497 14496->14497 14501 9ae228 14497->14501 14510 9ae210 14497->14510 14498 9ac4e0 14498->14493 14503 9ae259 14501->14503 14505 9ae34a 14501->14505 14502 9ae265 14502->14498 14503->14502 14506 9ae6a8 GetModuleHandleW LoadLibraryExW GetModuleHandleW 14503->14506 14507 9ae699 GetModuleHandleW LoadLibraryExW GetModuleHandleW 14503->14507 14504 9ae2a5 14508 9af070 GetModuleHandleW 14504->14508 14509 9af061 GetModuleHandleW 14504->14509 14505->14498 14506->14504 14507->14504 14508->14505 14509->14505 14512 9ae259 14510->14512 14514 9ae34a 14510->14514 14511 9ae265 14511->14498 14512->14511 14515 9ae6a8 GetModuleHandleW LoadLibraryExW GetModuleHandleW 14512->14515 14516 9ae699 GetModuleHandleW LoadLibraryExW GetModuleHandleW 14512->14516 14513 9ae2a5 14517 9af070 GetModuleHandleW 14513->14517 14518 9af061 GetModuleHandleW 14513->14518 14514->14498 14515->14513 14516->14513 14517->14514 14518->14514 14519 9ab810 14520 9ab876 14519->14520 14524 9ab9d0 14520->14524 14527 9ab9c1 14520->14527 14521 9ab925 14530 9aa264 14524->14530 14528 9ab9fe 14527->14528 14529 9aa264 DuplicateHandle 14527->14529 14528->14521 14529->14528 14531 9aba38 DuplicateHandle 14530->14531 14532 9ab9fe 14531->14532 14532->14521

                                                  Executed Functions

                                                  Function 009AE6F0 Relevance: .3, Instructions: 315COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54354bea848cbe10c0d6d8192ab629262a0c727252268a0bff9a711b803f0996
                                                  • Instruction ID: 0ed97d59f05ca915ee112df7b71f8c972e4132f4da216c44c7c77736e4f22bf4
                                                  • Opcode Fuzzy Hash: 54354bea848cbe10c0d6d8192ab629262a0c727252268a0bff9a711b803f0996
                                                  • Instruction Fuzzy Hash: 0B124CB1811A868AE710DFB5FDDC1893BA1B7453ACB904328D2612FAE1D7B8158BCF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009AE6E0 Relevance: .2, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d10c239cc376215ad57f8f370c3db54ae643f0e95d897d5d028358b8b5052a27
                                                  • Instruction ID: f0b80ada9de730f3ff5042c4e7f3193faebf95c9dcefb581235c1e4782ad7585
                                                  • Opcode Fuzzy Hash: d10c239cc376215ad57f8f370c3db54ae643f0e95d897d5d028358b8b5052a27
                                                  • Instruction Fuzzy Hash: 36C1D0B1C11B8A8AD710DFB5FDD81893BA1BB8536CB514328D2612F6E1E7B4158BCF84
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009A9528 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 195COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 228 9a9528-9a9530 229 9a953b-9a953d 228->229 230 9a9536 call 9a7214 228->230 231 9a953f 229->231 232 9a9553-9a9557 229->232 230->229 283 9a9545 call 9a97a2 231->283 284 9a9545 call 9a97b0 231->284 233 9a956b-9a95ac 232->233 234 9a9559-9a9563 232->234 239 9a95b9-9a95c7 233->239 240 9a95ae-9a95b6 233->240 234->233 235 9a954b-9a954d 235->232 237 9a9688-9a9748 235->237 278 9a974a-9a974d 237->278 279 9a9750-9a977b GetModuleHandleW 237->279 241 9a95eb-9a95ed 239->241 242 9a95c9-9a95ce 239->242 240->239 244 9a95f0-9a95f7 241->244 245 9a95d9 242->245 246 9a95d0-9a95d7 call 9a87fc 242->246 249 9a95f9-9a9601 244->249 250 9a9604-9a960b 244->250 251 9a95db-9a95e9 245->251 246->251 249->250 253 9a9618-9a9621 call 9a880c 250->253 254 9a960d-9a9615 250->254 251->244 258 9a962e-9a9633 253->258 259 9a9623-9a962b 253->259 254->253 261 9a9651-9a965e 258->261 262 9a9635-9a963c 258->262 259->258 268 9a9660-9a967e 261->268 269 9a9681-9a9687 261->269 262->261 263 9a963e-9a964e call 9a881c call 9a882c 262->263 263->261 268->269 278->279 280 9a977d-9a9783 279->280 281 9a9784-9a9798 279->281 280->281 283->235 284->235
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID: @Uz
                                                  • API String ID: 4139908857-4173817313
                                                  • Opcode ID: f10edc26a75beac65e592ae1993da7c6cbef5fc928eee48d9e9eacf4e5974a94
                                                  • Instruction ID: 688c9256373c211791b6faf2e6bf7ab384592c67202eef7e73811ec4e5fd39d0
                                                  • Opcode Fuzzy Hash: f10edc26a75beac65e592ae1993da7c6cbef5fc928eee48d9e9eacf4e5974a94
                                                  • Instruction Fuzzy Hash: 7E713570A00B048FDB24DF6AC45579AB7F6BF89304F108A29E45ADBA50DB34E909CBD1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009A38A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 285 9a38a8-9a5431 CreateActCtxA 288 9a543a-9a5494 285->288 289 9a5433-9a5439 285->289 296 9a54a3-9a54a7 288->296 297 9a5496-9a5499 288->297 289->288 298 9a54b8 296->298 299 9a54a9-9a54b5 296->299 297->296 301 9a54b9 298->301 299->298 301->301
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 009A5421
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID: @Uz
                                                  • API String ID: 2289755597-4173817313
                                                  • Opcode ID: d7381d5b36abf75ffc29204bd044ec1e340ccd68701f02f98b73690892e6057f
                                                  • Instruction ID: b121dae034e26aaf199e92328ac541a7cd73cadad17610bd88c952065844213f
                                                  • Opcode Fuzzy Hash: d7381d5b36abf75ffc29204bd044ec1e340ccd68701f02f98b73690892e6057f
                                                  • Instruction Fuzzy Hash: 3C41F271D0062CCBDB24DFA9C8847DEBBF6BF49308F218569D408AB251DBB56985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009A536E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 302 9a536e 303 9a5370-9a5431 CreateActCtxA 302->303 305 9a543a-9a5494 303->305 306 9a5433-9a5439 303->306 313 9a54a3-9a54a7 305->313 314 9a5496-9a5499 305->314 306->305 315 9a54b8 313->315 316 9a54a9-9a54b5 313->316 314->313 318 9a54b9 315->318 316->315 318->318
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 009A5421
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID: @Uz
                                                  • API String ID: 2289755597-4173817313
                                                  • Opcode ID: b1e15457a78d3eae2f5345682c989b41357fe859d34e7a3b9b028a4aaa06c6ac
                                                  • Instruction ID: 3f87b83b9fbf68e3f62e1665c33828b728db6aa2b6c3116bf03927c69e5344c9
                                                  • Opcode Fuzzy Hash: b1e15457a78d3eae2f5345682c989b41357fe859d34e7a3b9b028a4aaa06c6ac
                                                  • Instruction Fuzzy Hash: FD41C071D0061CCBDB24DFA9C884BDEBBF6BF49308F218569D408AB251DB756985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009AA264 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 319 9aa264-9abacc DuplicateHandle 321 9abace-9abad4 319->321 322 9abad5-9abaf2 319->322 321->322
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009AB9FE,?,?,?,?,?), ref: 009ABABF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID: @Uz
                                                  • API String ID: 3793708945-4173817313
                                                  • Opcode ID: c7b4a38ac145696f8ebdfaec34edba62ba435dd1112f29744fa847ce17a37aa2
                                                  • Instruction ID: a84df5366a8694fc880fa75ee28043313dac9c88584e5f725658b9d05578b701
                                                  • Opcode Fuzzy Hash: c7b4a38ac145696f8ebdfaec34edba62ba435dd1112f29744fa847ce17a37aa2
                                                  • Instruction Fuzzy Hash: B921E6B5D002089FDB10CF99D484ADEBBF9FB49324F14841AE915A7310D374A954CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009ABA30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 325 9aba30-9abacc DuplicateHandle 326 9abace-9abad4 325->326 327 9abad5-9abaf2 325->327 326->327
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009AB9FE,?,?,?,?,?), ref: 009ABABF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID: @Uz
                                                  • API String ID: 3793708945-4173817313
                                                  • Opcode ID: 3ea7641bdaa3d2c97c98a445efee7b89720d7b2e28ce415c365eb9fbc6fa0491
                                                  • Instruction ID: ba7a54c1b0d87f7857f3a4d34b94e4a3dcdfeff8d101bb0782f63b7ee0b52ce5
                                                  • Opcode Fuzzy Hash: 3ea7641bdaa3d2c97c98a445efee7b89720d7b2e28ce415c365eb9fbc6fa0491
                                                  • Instruction Fuzzy Hash: 942103B5D002489FDB10CFA9D884AEEBBF9FB48324F14841AE914A3310D374A944CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009A8858 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 330 9a8858-9a99d0 332 9a99d8-9a9a07 LoadLibraryExW 330->332 333 9a99d2-9a99d5 330->333 334 9a9a09-9a9a0f 332->334 335 9a9a10-9a9a2d 332->335 333->332 334->335
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009A97E9,00000800,00000000,00000000), ref: 009A99FA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID: @Uz
                                                  • API String ID: 1029625771-4173817313
                                                  • Opcode ID: 546129e2f1621e10384443ba08ae1cb0e6778e15723e9667a2d39cc274eb2225
                                                  • Instruction ID: 978eb866dc841efcdf7f9e1b33bfec6e0f1d5d579225c4c739cabc3757cf518b
                                                  • Opcode Fuzzy Hash: 546129e2f1621e10384443ba08ae1cb0e6778e15723e9667a2d39cc274eb2225
                                                  • Instruction Fuzzy Hash: E81103B69007099FCB10CF9AC484AEEFBF9FB89314F14852ED419A7200C375A945CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009A9988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 338 9a9988-9a99d0 340 9a99d8-9a9a07 LoadLibraryExW 338->340 341 9a99d2-9a99d5 338->341 342 9a9a09-9a9a0f 340->342 343 9a9a10-9a9a2d 340->343 341->340 342->343
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009A97E9,00000800,00000000,00000000), ref: 009A99FA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID: @Uz
                                                  • API String ID: 1029625771-4173817313
                                                  • Opcode ID: 2a16f935106c2928378f230ba3225fbfe2406b37653e19ab57b826ea77a534a2
                                                  • Instruction ID: 774c344d116717ecaa79eaa4e4c1355acc8db06b60e4d4dbdf2704151f30c937
                                                  • Opcode Fuzzy Hash: 2a16f935106c2928378f230ba3225fbfe2406b37653e19ab57b826ea77a534a2
                                                  • Instruction Fuzzy Hash: EB1114B69003099FDB10CF9AC884BDEFBF9BB89314F14852AD419B7200C375A945CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009A7214 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 346 9a7214-9a9748 348 9a974a-9a974d 346->348 349 9a9750-9a977b GetModuleHandleW 346->349 348->349 350 9a977d-9a9783 349->350 351 9a9784-9a9798 349->351 350->351
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,009A953B), ref: 009A976E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID: @Uz
                                                  • API String ID: 4139908857-4173817313
                                                  • Opcode ID: 5271c552390f64f269ec2ec7107d21499310f3f4135a8c3b03f357dbe2ab3f56
                                                  • Instruction ID: da53deda7da0f12193c1b4ba1eaf5a2da47ca0fbd7dc84b50aa1542d66df1d06
                                                  • Opcode Fuzzy Hash: 5271c552390f64f269ec2ec7107d21499310f3f4135a8c3b03f357dbe2ab3f56
                                                  • Instruction Fuzzy Hash: F61102B6C006498FCB10CF9AC444BDEFBF9FB89324F14852AD429A7600D378A945CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0094D4C4 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485179877.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_94d000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c26b254b637d94fb9d6750bd74ec8d74e3f1cb540f615c9b141a670b6e4b752
                                                  • Instruction ID: ebc143731bd12e2cb7ca3533b62a73857f432474971d63112c5d796c9eefca56
                                                  • Opcode Fuzzy Hash: 1c26b254b637d94fb9d6750bd74ec8d74e3f1cb540f615c9b141a670b6e4b752
                                                  • Instruction Fuzzy Hash: FD212879504240DFDB05DF14D8C0F66BF69FB88318F248A69E8050B24AC73AD955C7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0095D1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485235398.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_95d000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 798b49602944278767f36075566a77681e5c32af3ae50321ff3c52305b670fbf
                                                  • Instruction ID: b0df53c36772d2465d3e35579d4b873987cecacd3831a95e0cf46fac6573be7f
                                                  • Opcode Fuzzy Hash: 798b49602944278767f36075566a77681e5c32af3ae50321ff3c52305b670fbf
                                                  • Instruction Fuzzy Hash: C6213771504200DFDB10CF51D9C0B26BBA9FB84319F24CA6DEC094B241C33AD84ACB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0095D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485235398.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_95d000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 504c50b1901f017a73c0c6680c81bec717e9aa6841bf99d888bd04e58c4fc7e6
                                                  • Instruction ID: a8f4c39edc9df0b052d3d166be76861991574197e9da65b30ea19e06cf8a27df
                                                  • Opcode Fuzzy Hash: 504c50b1901f017a73c0c6680c81bec717e9aa6841bf99d888bd04e58c4fc7e6
                                                  • Instruction Fuzzy Hash: DA21F575504244DFDB24DF24D8C4B26BBA9FB84315F24C969DC094B286C33AD84BCB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0095D005 Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485235398.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_95d000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7318e997557f29c2d15f59de1dbb79cfaaad8831e4015066b46ff4475f2c893a
                                                  • Instruction ID: 7adea8a82cc3ec8cbf87221933bcf5378bfab016c03329a4b4a06b09e90f8e98
                                                  • Opcode Fuzzy Hash: 7318e997557f29c2d15f59de1dbb79cfaaad8831e4015066b46ff4475f2c893a
                                                  • Instruction Fuzzy Hash: F42181755093C08FDB12CF20D994B15BF71EB46314F28C6EAD8498B697C33AD84ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0094D4BF Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485179877.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_94d000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f781e3e22243257e7c2cd1e7ae3ee94a8cb0c0f556951c160f75036b1b3388de
                                                  • Instruction ID: 1ded1a21606a1664d53e2de86a91a830c3f52337a3115cf23c0bd4ff26a318aa
                                                  • Opcode Fuzzy Hash: f781e3e22243257e7c2cd1e7ae3ee94a8cb0c0f556951c160f75036b1b3388de
                                                  • Instruction Fuzzy Hash: 9911B176504280CFCB11CF10D5C4F16BF71FB84324F24C6A9E8494B65AC33AD95ACBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0095D1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485235398.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_95d000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7725c651bc0dbb99a59bbb3ef5fefc7b652fbefa08161400189807505c1d87ac
                                                  • Instruction ID: 38f21d5bf728560366ca4a2696b963b9aff80899ff5d1a2d5280c999e09bb146
                                                  • Opcode Fuzzy Hash: 7725c651bc0dbb99a59bbb3ef5fefc7b652fbefa08161400189807505c1d87ac
                                                  • Instruction Fuzzy Hash: 5D118B75505280DFDB11CF10D5C4B15BBA1FB84324F28C6AEDC494B656C33AD84ACBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0094D745 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485179877.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_94d000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ca23658961cfcc96f84f7352b797f8cfa3358638f0e79311380e1340efe34e9d
                                                  • Instruction ID: 8a19ff89a14f9233ff9fd87d5eb46706414e10d18a578bfb5fd0e761b06be89a
                                                  • Opcode Fuzzy Hash: ca23658961cfcc96f84f7352b797f8cfa3358638f0e79311380e1340efe34e9d
                                                  • Instruction Fuzzy Hash: 8D01F7B94053449BE7104B61CCC4F67BBDCDF41338F188A5AED044E242D3789C44CAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0094D744 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485179877.000000000094D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0094D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_94d000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7668ee8b9e0f9ae40ca6cf659c6a2e36e82a949dd5a36657ee1285aeee8d18a6
                                                  • Instruction ID: ab1c657984d298b9f7d9e2bcbd3bb24d6d5ff3dcff595262e7c7823516c29d08
                                                  • Opcode Fuzzy Hash: 7668ee8b9e0f9ae40ca6cf659c6a2e36e82a949dd5a36657ee1285aeee8d18a6
                                                  • Instruction Fuzzy Hash: 5EF0C2B54053849AEB108E15CCC8B62FB9CEB81734F18C55AED080F386C3789C44CAB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 009AC2C4 Relevance: .3, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.485493715.00000000009A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_9a0000_INVOICE.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f34287a9bb8a1020832bf470f57da5741bcd16742490e3ab6bbc0e0ed2428901
                                                  • Instruction ID: 5318e0376ce84718c8214244733ebed79bdda67811a0c5d8f244260d69d930bd
                                                  • Opcode Fuzzy Hash: f34287a9bb8a1020832bf470f57da5741bcd16742490e3ab6bbc0e0ed2428901
                                                  • Instruction Fuzzy Hash: BCA18032E006198FCF05DFA5C8445DEB7B6FFC6300B15856AE806AB221EB31E945CF80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%