Windows Analysis Report
PROOF OF PAYMENT.scr.exe

Overview

General Information

Sample name:	PROOF OF PAYMENT.scr.exe
Analysis ID:	1431488
MD5:	11b19b59f657910f0af49721a77bc2dd
SHA1:	3078779d892bd96e5dfddb76d491f52eefd39a2d
SHA256:	c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected Nanocore RAT

Yara detected PureLog Stealer

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Signatures

AV Detection

Antivirus detection for URL or domain

Source: amechi.duckdns.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "3ccbc5bb-95bf-4854-a1cd-6f73b82a", "Group": "GLORY", "Domain1": "amechi.duckdns.org", "Domain2": "amechi.duckdns.org", "Port": 3190, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for domain / URL

Source: amechi.duckdns.org	Virustotal: Detection: 12%			Perma Link
Source: amechi.duckdns.org	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe	ReversingLabs: Detection: 13%
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Virustotal: Detection: 27%	Perma Link
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Virustotal: Detection: 27%	Perma Link

Multi AV Scanner detection for submitted file

Source: PROOF OF PAYMENT.scr.exe	Virustotal: Detection: 27%			Perma Link
Source: PROOF OF PAYMENT.scr.exe	ReversingLabs: Detection: 13%

Yara detected Nanocore RAT

Source: Yara match	File source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PROOF OF PAYMENT.scr.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: PROOF OF PAYMENT.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PROOF OF PAYMENT.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3241713643.000000000139E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.ni.pdbRSDS source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257051496.0000000006660000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: \mscorlib.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3241713643.000000000139E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257051496.0000000006660000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.pdb source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257051496.0000000006660000.00000004.00000020.00020000.00000000.sdmp, WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.Core.ni.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: mscorlib.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.Drawing.pdb`~ source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.Drawing.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.pdbH source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.Core.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.Core.pdbPK6 source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.ni.pdb source: WER7F8A.tmp.dmp.27.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER7F8A.tmp.dmp.27.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 4x nop then jmp 02470499h	0_2_02470586
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 4x nop then jmp 0D0201D1h	11_2_0D0202BE
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 4x nop then jmp 08A201D1h	17_2_08A202BC

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49735 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49736 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49743 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49744 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49745 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49746 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49746 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49747 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49749 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2046917 ET TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.95.169.113:3190 -> 192.168.2.4:49750
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49750 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49752 -> 45.95.169.113:3190
Source: Traffic	Snort IDS: 2046917 ET TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.95.169.113:3190 -> 192.168.2.4:49755

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: amechi.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: amechi.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 45.95.169.113:3190

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 45.95.169.113 45.95.169.113

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GIGANET-HUGigaNetInternetServiceProviderCoHU GIGANET-HUGigaNetInternetServiceProviderCoHU

Source: global traffic

DNS traffic detected: DNS query: amechi.duckdns.org

Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1715877322.00000000025DD000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, hXGmUcb.exe, 0000000B.00000002.1808923412.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000011.00000002.1898089086.0000000002791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.27.dr	String found in binary or memory: http://upx.sf.net
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1719321856.0000000006632000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Installs a raw input device (often for capturing keystrokes)

Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_7f75a987-7

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000A.00000002.3252685387.000000000411B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.1938368826.0000000003D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PROOF OF PAYMENT.scr.exe

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\WerFault.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_02471E60	0_2_02471E60
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_02470308	0_2_02470308
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_024702F8	0_2_024702F8
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_0251E3B4	0_2_0251E3B4
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E27568	0_2_06E27568
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E208B0	0_2_06E208B0
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E27558	0_2_06E27558
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E2A528	0_2_06E2A528
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E2A0F0	0_2_06E2A0F0
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E2C160	0_2_06E2C160
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E22141	0_2_06E22141
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E22150	0_2_06E22150
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E2C151	0_2_06E2C151
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E22117	0_2_06E22117
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E2CB60	0_2_06E2CB60
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E2089F	0_2_06E2089F
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E23800	0_2_06E23800
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E23810	0_2_06E23810
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E2A960	0_2_06E2A960
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 10_2_0130D344	10_2_0130D344
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 10_2_06761818	10_2_06761818
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 10_2_067601E0	10_2_067601E0
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0261E3B4	11_2_0261E3B4
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_04C80FD4	11_2_04C80FD4
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_04C824D6	11_2_04C824D6
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_04C80508	11_2_04C80508
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_04C80518	11_2_04C80518
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_090408B0	11_2_090408B0
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_09047568	11_2_09047568
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0904A960	11_2_0904A960
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_09043800	11_2_09043800
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_09043810	11_2_09043810
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0904089F	11_2_0904089F
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0904CB60	11_2_0904CB60
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_09042117	11_2_09042117
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_09042141	11_2_09042141
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_09042150	11_2_09042150
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0904C151	11_2_0904C151
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0904C160	11_2_0904C160
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0904A0F0	11_2_0904A0F0
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0904A528	11_2_0904A528
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_09047558	11_2_09047558
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0D020040	11_2_0D020040
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0D021AC8	11_2_0D021AC8
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0D020006	11_2_0D020006
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 15_2_0111D344	15_2_0111D344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_009DE3B4	17_2_009DE3B4
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C67568	17_2_06C67568
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C608B0	17_2_06C608B0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C67565	17_2_06C67565
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C6A528	17_2_06C6A528
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C6A0F0	17_2_06C6A0F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C6214D	17_2_06C6214D
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C62150	17_2_06C62150
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C6C15D	17_2_06C6C15D
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C6C160	17_2_06C6C160
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C6CB60	17_2_06C6CB60
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C6089F	17_2_06C6089F
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C63800	17_2_06C63800
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C63810	17_2_06C63810
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C6A960	17_2_06C6A960
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_08A20040	17_2_08A20040
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_08A219B9	17_2_08A219B9
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_08A20011	17_2_08A20011
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 21_2_0137D344	21_2_0137D344

One or more processes crash

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1560

PE file contains strange resources

Source: PROOF OF PAYMENT.scr.exe	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: hXGmUcb.exe.0.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Sample file is different than original file name gathered from version info

Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1715122507.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1720840961.0000000009680000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000000.1613081722.0000000000208000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLaZ.exe" vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1716851418.0000000003F67000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3252685387.0000000004138000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3257666948.0000000006770000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3252685387.0000000004151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs PROOF OF PAYMENT.scr.exe
Source: PROOF OF PAYMENT.scr.exe	Binary or memory string: OriginalFilenameLaZ.exe" vs PROOF OF PAYMENT.scr.exe

Uses 32bit PE files

Source: PROOF OF PAYMENT.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.PROOF OF PAYMENT.scr.exe.411b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa4629.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.hXGmUcb.exe.3b045a5.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.hXGmUcb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.dnshost.exe.41c7f28.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.dnshost.exe.4195508.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.hXGmUcb.exe.3afff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dnshost.exe.3d9b146.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 15.2.hXGmUcb.exe.2b1a2c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.PROOF OF PAYMENT.scr.exe.5740000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.hXGmUcb.exe.3afff7c.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.hXGmUcb.exe.449a988.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.hXGmUcb.exe.4467f68.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.hXGmUcb.exe.4467f68.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.dnshost.exe.4195508.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.dnshost.exe.41c7f28.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.hXGmUcb.exe.449a988.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dnshost.exe.2dba2d4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.PROOF OF PAYMENT.scr.exe.5aa0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.hXGmUcb.exe.3afb146.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.PROOF OF PAYMENT.scr.exe.3105218.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PROOF OF PAYMENT.scr.exe.42c9780.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000A.00000002.3252685387.000000000411B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.1938368826.0000000003D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 6852, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: PROOF OF PAYMENT.scr.exe PID: 7580, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: hXGmUcb.exe PID: 7672, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: hXGmUcb.exe PID: 7956, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dnshost.exe PID: 8088, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 7536, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: PROOF OF PAYMENT.scr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hXGmUcb.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, f1i4Sn8yTX9wQ64gor.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, f1i4Sn8yTX9wQ64gor.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, f1i4Sn8yTX9wQ64gor.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, rh0ThCo3wv2MPxBtFh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, rh0ThCo3wv2MPxBtFh.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, f1i4Sn8yTX9wQ64gor.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, f1i4Sn8yTX9wQ64gor.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, f1i4Sn8yTX9wQ64gor.cs	Security API names: _0020.AddAccessRule

Source: 0.2.PROOF OF PAYMENT.scr.exe.25dd5c8.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PROOF OF PAYMENT.scr.exe.27c5b7c.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PROOF OF PAYMENT.scr.exe.4f50000.10.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PROOF OF PAYMENT.scr.exe.25cd174.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.evad.winEXE@32/26@14/1

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe

File created: C:\Program Files (x86)\DNS Host

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7580
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Mutant created: \Sessions\1\BaseNamedObjects\IwPiDPKLEAdVwxqu
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{3ccbc5bb-95bf-4854-a1cd-6f73b82adcba}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hXGmUcb.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hXGmUcb.exe C:\Users\user\AppData\Roaming\hXGmUcb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp5513.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Process created: C:\Users\user\AppData\Roaming\hXGmUcb.exe "C:\Users\user\AppData\Roaming\hXGmUcb.exe"
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp7AEB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7580 -s 1560
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hXGmUcb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp314F.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process created: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe "C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp5513.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Process created: C:\Users\user\AppData\Roaming\hXGmUcb.exe "C:\Users\user\AppData\Roaming\hXGmUcb.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\user\AppData\Local\Temp\tmp7AEB.tmp"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"

Source: PROOF OF PAYMENT.scr.exe, SpreadsheetName.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: hXGmUcb.exe.0.dr, SpreadsheetName.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, f1i4Sn8yTX9wQ64gor.cs	.Net Code: IaGtmtH0V1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, f1i4Sn8yTX9wQ64gor.cs	.Net Code: IaGtmtH0V1 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.PROOF OF PAYMENT.scr.exe.4296d60.7.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Code function: 0_2_06E27F4B push es; retf	0_2_06E27F50
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0261AFC8 push eax; retn 0004h	11_2_0261AFD2
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0261AFD8 push eax; retn 0004h	11_2_0261AFE2
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_0261B00A push eax; retn 0004h	11_2_0261AFD2
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_04C830B0 push es; mov dword ptr [esp], 5504BCABh	11_2_04C830BA
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Code function: 11_2_04C8EAB8 pushfd ; iretd	11_2_04C8EB31
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 17_2_06C67F4B push es; retf	17_2_06C67F50

Source: PROOF OF PAYMENT.scr.exe	Static PE information: section name: .text entropy: 7.966591288732788
Source: hXGmUcb.exe.0.dr	Static PE information: section name: .text entropy: 7.966591288732788

Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, a7WH18Hcc20wPeWQJl.cs	High entropy of concatenated method names: 'vMdhK16Qy4', 'AfehrDnT0s', 'd7XYDO1hi3', 'y3ZY6kY8ZF', 'erVY5Ubmoc', 'FMkYiHgHZj', 'QG8YbqU8ov', 'GsfY4IN3tB', 'IwSYRQ1iAp', 'wqrYLbLDVy'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, Rey2rtdvRpTeCLFBeL.cs	High entropy of concatenated method names: 'Dispose', 'q2PQ7WshZd', 'VuMEArlkQY', 'S4IooGTDB7', 'GWlQMpmyVP', 'JKdQzahP8E', 'ProcessDialogKey', 'NOMEVEiiWw', 'l7TEQ59o19', 'jqFEEuyUBV'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, RmVeZLtcaKrdC0Uaus.cs	High entropy of concatenated method names: 'ToString', 'nInePXmGxq', 'RhqeAiyn6r', 'VwdeDRiX08', 'nhPe6pCl8W', 'hVpe5viEja', 'iGyeigMoaI', 's8debL81ZH', 'p2Ie4nZ4wi', 'XA7eRY79mp'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, YYWK0OzQ8GnTyh7euo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BXoFskcPry', 'r2vF1Etb6I', 'gj7FesUY1g', 'JZeFOtlUMR', 'XcVFxhsIw2', 'AciFF49OQJ', 'RjgF94bdvr'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, WwSNyg0DDuwGTvKVKj.cs	High entropy of concatenated method names: 'Eay2pw1UVa', 'X3E2N6C52J', 'xnb2mQfn69', 'MmX2aquZts', 'sBw2lQBKVy', 'mHW2rGY8xd', 'kNv2UQpHOw', 'HwI2BOZgyH', 'LnWsxPJ4juD65rP2hjM', 'AbcHifJUBIjBTUFiHR5'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, C3fSWt9lq6cmKjZivw.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EfQE7yjXWR', 'p8pEM7BtuY', 'bcpEzSesNq', 'IggcVKs8NZ', 'REocQe98h2', 'X3LcEHmv4m', 'wOTccurcWT', 'TwmC983JutLaM3C3XhY'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, bXnp9f6gTwWnsZSwLY.cs	High entropy of concatenated method names: 'ediMMSJLjUbjgM2Bps9', 'C6aX53JxUK7cbY4NDIq', 'rju2xStvfi', 'Lee2FTakHU', 'MHL29wdmHP', 'Feo82IJHToxJrhOcgWA', 'glCVRsJwJMfBTIdKjgf', 'nGKAxXJeCZgFNRkPwdP'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, AHbEk21axUEqm7fT56.cs	High entropy of concatenated method names: 'XkYdNJyc1F', 'WvHdSBQunH', 'Pd7dmAmHQG', 'fZpdafLxBr', 'Y9odKidkSY', 'ihpdl3RwNf', 'j42drRMGsn', 'dr0d8sN54i', 'H1cdUkra7D', 'abldBwODOR'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, EUEE8DvIqtuPeTiAGn.cs	High entropy of concatenated method names: 'aHyOwAisgh', 'I4dOMX4yYi', 'wivxVxvdm0', 'xwsxQ6RUe8', 'RRuOPnYcbw', 'mvVOfLSB78', 'yG2OJFHgQy', 'VnGOkMKBG2', 'bj5OXZ1JCr', 'm9COITF3JE'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, q0rM6Liejcmga7tNtno.cs	High entropy of concatenated method names: 'R4ZFN0nqB5', 'a4JFS1mZEj', 'jIAFmfI8rt', 'bxdFavRElW', 'gIBFKEQs57', 'uf4FlZGQ5R', 'SBJFr29lUi', 'IgfF8jR7Un', 'olWFUGuhdR', 'SR4FBw2256'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, O2HMwp5KwMD4Y1kAup.cs	High entropy of concatenated method names: 'gLPFQ8WRia', 'Ay6FcxCWmF', 'Y4rFto6Ta2', 'yUpFZYxAId', 'COiFWYFcVJ', 'm75FhsNat0', 'NZmF236lSO', 'TkCxuKYQse', 'rq7xwdEaWu', 'dN2x7SgvV5'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, GrtMols1V6lhk2hI0e.cs	High entropy of concatenated method names: 'LfOmNlmch', 'iHOaSaKfB', 'IOXljXW2Y', 'No3rfXCjV', 'oE5UhKHyc', 'GxZBNfhwk', 'hsHWbnBbkCLlpxpkYY', 'uo4XTDptJRSHPLOED5', 'rjNxdtopn', 'O8091ORpQ'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, rh0ThCo3wv2MPxBtFh.cs	High entropy of concatenated method names: 'bvCWktd9Un', 'CXoWXsSeLD', 'UimWICFGc7', 'wRVWjFOmOw', 't35WvTPpnY', 'cbuWHyNYlv', 'AopWuHkapR', 'QWiWwNACnt', 'BY2W725YeL', 'TBUWMMVLlA'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, BnI13jwnKRvNGvGP2F.cs	High entropy of concatenated method names: 'XiPxZZTTZo', 'dqVxWFf3AG', 'nOIxYJl1n1', 'EWYxh672ZR', 'w03x2uP2bI', 'Qkyxdfyf1i', 'Ax2xT3HDRa', 'UrQxGNdgN9', 'gwox0w8D3Q', 'hc3xgdHuRu'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, DCnUwxkrso4naVYmQk.cs	High entropy of concatenated method names: 'pGs2ydnUoS', 'fda2WdKc3N', 'fSS2heoCTv', 'fc42dM5wQ0', 'NyS2TFFYVD', 'IkPhvmvH43', 'FWjhHSjLDu', 'OuPhuc6Jfa', 'hu4hwy6Yk5', 'F6Xh7KppkR'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, WWBcScFrnYSGoAdw3C.cs	High entropy of concatenated method names: 'X9xs8HMKZe', 'PDJsU15Pkk', 'ld1sCvPaMy', 'a0jsA4auOZ', 'p19s6stuAr', 'jZHs5C6S9B', 'Nc7sbGR7AL', 'bqYs49YAkE', 'sRTsL1qtjp', 'xirsP9HP8j'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, f1i4Sn8yTX9wQ64gor.cs	High entropy of concatenated method names: 'Uu8cyPWXYh', 'gEicZKBvbn', 'a2kcWAnssT', 'ktIcYXQiBs', 'FCQch0Vdcw', 'AfNc25cReP', 'wbtcdDfC6G', 'lQrcT1IyVq', 'VRAcGfENOM', 'kvLc04e9fL'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, DuoeAeiZfYcQfs4fvYT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QiO9kj98xK', 'YVl9XWBtjT', 'yF09IpiRII', 'lG19jlAvA7', 'gVd9vMeyU1', 'Dh79HvQwYC', 'Jvu9uApxUD'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, jp5tqDr4CYlZBQwy1A.cs	High entropy of concatenated method names: 'NruQd0LmkF', 'zxhQTicd5E', 'VYqQ0Zalrk', 'qlJQgshZ01', 'HvWQ1FXJyw', 'EFCQeSi0VT', 'qrO0tfP2qTVx0lXmvM', 'gIeXPesq9Wbn0mKoPC', 'DT7QQgT3Zi', 'OdIQcvgl1G'
Source: 0.2.PROOF OF PAYMENT.scr.exe.41c08e0.6.raw.unpack, rpsPfDxQy929cynlVU.cs	High entropy of concatenated method names: 'KP8YarIFlX', 'HPYYlM5e3e', 't8xY8jAGvr', 'MLbYUMO6F6', 'fyHY1Qyoug', 'JjvYeH29v8', 'eZiYOvemZg', 's7BYxOsOSU', 'I62YFsMrZj', 'zqAY9m9S4u'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, a7WH18Hcc20wPeWQJl.cs	High entropy of concatenated method names: 'vMdhK16Qy4', 'AfehrDnT0s', 'd7XYDO1hi3', 'y3ZY6kY8ZF', 'erVY5Ubmoc', 'FMkYiHgHZj', 'QG8YbqU8ov', 'GsfY4IN3tB', 'IwSYRQ1iAp', 'wqrYLbLDVy'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, Rey2rtdvRpTeCLFBeL.cs	High entropy of concatenated method names: 'Dispose', 'q2PQ7WshZd', 'VuMEArlkQY', 'S4IooGTDB7', 'GWlQMpmyVP', 'JKdQzahP8E', 'ProcessDialogKey', 'NOMEVEiiWw', 'l7TEQ59o19', 'jqFEEuyUBV'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, RmVeZLtcaKrdC0Uaus.cs	High entropy of concatenated method names: 'ToString', 'nInePXmGxq', 'RhqeAiyn6r', 'VwdeDRiX08', 'nhPe6pCl8W', 'hVpe5viEja', 'iGyeigMoaI', 's8debL81ZH', 'p2Ie4nZ4wi', 'XA7eRY79mp'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, YYWK0OzQ8GnTyh7euo.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BXoFskcPry', 'r2vF1Etb6I', 'gj7FesUY1g', 'JZeFOtlUMR', 'XcVFxhsIw2', 'AciFF49OQJ', 'RjgF94bdvr'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, WwSNyg0DDuwGTvKVKj.cs	High entropy of concatenated method names: 'Eay2pw1UVa', 'X3E2N6C52J', 'xnb2mQfn69', 'MmX2aquZts', 'sBw2lQBKVy', 'mHW2rGY8xd', 'kNv2UQpHOw', 'HwI2BOZgyH', 'LnWsxPJ4juD65rP2hjM', 'AbcHifJUBIjBTUFiHR5'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, C3fSWt9lq6cmKjZivw.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'EfQE7yjXWR', 'p8pEM7BtuY', 'bcpEzSesNq', 'IggcVKs8NZ', 'REocQe98h2', 'X3LcEHmv4m', 'wOTccurcWT', 'TwmC983JutLaM3C3XhY'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, bXnp9f6gTwWnsZSwLY.cs	High entropy of concatenated method names: 'ediMMSJLjUbjgM2Bps9', 'C6aX53JxUK7cbY4NDIq', 'rju2xStvfi', 'Lee2FTakHU', 'MHL29wdmHP', 'Feo82IJHToxJrhOcgWA', 'glCVRsJwJMfBTIdKjgf', 'nGKAxXJeCZgFNRkPwdP'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, AHbEk21axUEqm7fT56.cs	High entropy of concatenated method names: 'XkYdNJyc1F', 'WvHdSBQunH', 'Pd7dmAmHQG', 'fZpdafLxBr', 'Y9odKidkSY', 'ihpdl3RwNf', 'j42drRMGsn', 'dr0d8sN54i', 'H1cdUkra7D', 'abldBwODOR'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, EUEE8DvIqtuPeTiAGn.cs	High entropy of concatenated method names: 'aHyOwAisgh', 'I4dOMX4yYi', 'wivxVxvdm0', 'xwsxQ6RUe8', 'RRuOPnYcbw', 'mvVOfLSB78', 'yG2OJFHgQy', 'VnGOkMKBG2', 'bj5OXZ1JCr', 'm9COITF3JE'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, q0rM6Liejcmga7tNtno.cs	High entropy of concatenated method names: 'R4ZFN0nqB5', 'a4JFS1mZEj', 'jIAFmfI8rt', 'bxdFavRElW', 'gIBFKEQs57', 'uf4FlZGQ5R', 'SBJFr29lUi', 'IgfF8jR7Un', 'olWFUGuhdR', 'SR4FBw2256'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, O2HMwp5KwMD4Y1kAup.cs	High entropy of concatenated method names: 'gLPFQ8WRia', 'Ay6FcxCWmF', 'Y4rFto6Ta2', 'yUpFZYxAId', 'COiFWYFcVJ', 'm75FhsNat0', 'NZmF236lSO', 'TkCxuKYQse', 'rq7xwdEaWu', 'dN2x7SgvV5'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, GrtMols1V6lhk2hI0e.cs	High entropy of concatenated method names: 'LfOmNlmch', 'iHOaSaKfB', 'IOXljXW2Y', 'No3rfXCjV', 'oE5UhKHyc', 'GxZBNfhwk', 'hsHWbnBbkCLlpxpkYY', 'uo4XTDptJRSHPLOED5', 'rjNxdtopn', 'O8091ORpQ'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, rh0ThCo3wv2MPxBtFh.cs	High entropy of concatenated method names: 'bvCWktd9Un', 'CXoWXsSeLD', 'UimWICFGc7', 'wRVWjFOmOw', 't35WvTPpnY', 'cbuWHyNYlv', 'AopWuHkapR', 'QWiWwNACnt', 'BY2W725YeL', 'TBUWMMVLlA'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, BnI13jwnKRvNGvGP2F.cs	High entropy of concatenated method names: 'XiPxZZTTZo', 'dqVxWFf3AG', 'nOIxYJl1n1', 'EWYxh672ZR', 'w03x2uP2bI', 'Qkyxdfyf1i', 'Ax2xT3HDRa', 'UrQxGNdgN9', 'gwox0w8D3Q', 'hc3xgdHuRu'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, DCnUwxkrso4naVYmQk.cs	High entropy of concatenated method names: 'pGs2ydnUoS', 'fda2WdKc3N', 'fSS2heoCTv', 'fc42dM5wQ0', 'NyS2TFFYVD', 'IkPhvmvH43', 'FWjhHSjLDu', 'OuPhuc6Jfa', 'hu4hwy6Yk5', 'F6Xh7KppkR'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, WWBcScFrnYSGoAdw3C.cs	High entropy of concatenated method names: 'X9xs8HMKZe', 'PDJsU15Pkk', 'ld1sCvPaMy', 'a0jsA4auOZ', 'p19s6stuAr', 'jZHs5C6S9B', 'Nc7sbGR7AL', 'bqYs49YAkE', 'sRTsL1qtjp', 'xirsP9HP8j'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, f1i4Sn8yTX9wQ64gor.cs	High entropy of concatenated method names: 'Uu8cyPWXYh', 'gEicZKBvbn', 'a2kcWAnssT', 'ktIcYXQiBs', 'FCQch0Vdcw', 'AfNc25cReP', 'wbtcdDfC6G', 'lQrcT1IyVq', 'VRAcGfENOM', 'kvLc04e9fL'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, DuoeAeiZfYcQfs4fvYT.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QiO9kj98xK', 'YVl9XWBtjT', 'yF09IpiRII', 'lG19jlAvA7', 'gVd9vMeyU1', 'Dh79HvQwYC', 'Jvu9uApxUD'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, jp5tqDr4CYlZBQwy1A.cs	High entropy of concatenated method names: 'NruQd0LmkF', 'zxhQTicd5E', 'VYqQ0Zalrk', 'qlJQgshZ01', 'HvWQ1FXJyw', 'EFCQeSi0VT', 'qrO0tfP2qTVx0lXmvM', 'gIeXPesq9Wbn0mKoPC', 'DT7QQgT3Zi', 'OdIQcvgl1G'
Source: 0.2.PROOF OF PAYMENT.scr.exe.9680000.11.raw.unpack, rpsPfDxQy929cynlVU.cs	High entropy of concatenated method names: 'KP8YarIFlX', 'HPYYlM5e3e', 't8xY8jAGvr', 'MLbYUMO6F6', 'fyHY1Qyoug', 'JjvYeH29v8', 'eZiYOvemZg', 's7BYxOsOSU', 'I62YFsMrZj', 'zqAY9m9S4u'

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	File created: C:\Users\user\AppData\Roaming\hXGmUcb.exe			Jump to dropped file
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	File created: C:\Program Files (x86)\DNS Host\dnshost.exe			Jump to dropped file

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 2310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 7330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 6C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 8330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 9330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 9700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: A700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: B700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 1300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory allocated: 1440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 2520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 2520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 6BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 7BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 7D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 8D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 93A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: A3A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: B3B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 1110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory allocated: 4AB0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 9D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2720000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2560000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 6DA0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 6AC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 7DA0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 8DA0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 9340000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 6DA0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2D50000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2C70000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7836	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 782	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8347	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1113	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Window / User API: threadDelayed 4342	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Window / User API: threadDelayed 5450	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Window / User API: foregroundWindowGot 1215	Jump to behavior

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe TID: 2696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe TID: 7660	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe TID: 7708	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe TID: 7984	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 8116	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7404	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Amcache.hve.27.dr	Binary or memory string: VMware
Source: Amcache.hve.27.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.27.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.27.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.27.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.27.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.27.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.27.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.27.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.27.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.27.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.27.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3241713643.000000000139E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.27.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.27.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.27.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.27.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.27.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.27.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.27.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.27.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.27.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.27.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.27.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.27.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.27.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.27.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.27.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.27.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.27.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe	Memory written: C:\Users\user\Desktop\PROOF OF PAYMENT.scr.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hXGmUcb.exe	Memory written: C:\Users\user\AppData\Roaming\hXGmUcb.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory written: C:\Program Files (x86)\DNS Host\dnshost.exe base: 400000 value starts with: 4D5A

Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003370000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$g[
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003370000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000033E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003224000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000324B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\#'
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt3
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|'M
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003306000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLm0
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000365A000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000033FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx+@
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003240000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000033FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q84@
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3258273905.0000000006E5D000.00000004.00000010.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3258155369.0000000006B5D000.00000004.00000010.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3258747252.00000000075AE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerR
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003224000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000365A000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000327C000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000327C000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\rK
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000033FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003434000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT_C
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003224000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003316000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0m1
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000365A000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT&
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003370000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003434000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000035D8000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLuT
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003316000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000339E000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003434000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlB^q
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000033D8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHec
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.000000000361E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$"d
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$FH
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003434000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtIC
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003434000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4RC
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8bO
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003240000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp, PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003438000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,#
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$}[
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003545000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxWU
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.0000000003144000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX

Source: Amcache.hve.27.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.27.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.27.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.27.dr	Binary or memory string: MsMpEng.exe

Source: PROOF OF PAYMENT.scr.exe, 00000000.00000002.1716851418.0000000004296000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3252685387.000000000411B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3252685387.000000000411B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLog
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3255202049.0000000005AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3254825216.0000000005740000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: PROOF OF PAYMENT.scr.exe, 0000000A.00000002.3244837241.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: hXGmUcb.exe, 0000000B.00000002.1811391295.0000000004467000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: hXGmUcb.exe, 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: hXGmUcb.exe, 0000000F.00000002.1848025464.0000000003AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: hXGmUcb.exe, 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: hXGmUcb.exe, 0000000F.00000002.1847283853.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: hXGmUcb.exe, 0000000F.00000002.1845298731.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000011.00000002.1900664076.0000000004195000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000015.00000002.1938368826.0000000003D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000015.00000002.1938368826.0000000003D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLog
Source: dnshost.exe, 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000015.00000002.1936223205.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Windows Analysis Report PROOF OF PAYMENT.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PROOF OF PAYMENT.scr.exe

Malware Threat Intel
Provided by

ID:	1431488
Product:	CloudBasic
Start time:	10:06:08
Start date:	25.04.2024
Sample:	PROOF OF PAYMENT.scr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	11b19b59f657910f0af49721a77bc2dd
SHA1:	3078779d892bd96e5dfddb76d491f52eefd39a2d
SHA256:	c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DNS Host\dnshost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	11B19B59F657910F0AF49721A77BC2DD	3078779D892BD96E5DFDDB76D491F52EEFD39A2D	C03858657307A20F2DA776BA010C76495276E80306C19B70F44342C8BCAECE85
C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PROOF OF PAYMENT_eefe40cec38f9f35cfd4406c6dd1963f08220_2336c1dd_455e0c01-259e-4cc2-a1a3-06a3a147f533\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8F18F41A8B958B278463CCFDC8736827	9C3BB4C077277C8FDC5B77805B508FFC67CDFE13	09A64F643AFD1E9F3E7AB78AF6923575F1891856E8A981CBCA42CB426A68163D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4115.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	086E54018286D459EF169DDBB85B5F14	571A6EC00E884B2809784E4488E093B673B4F744	C4C73D9109E64729731EB2799B1DEEBAA6D408BAFB028EF5E9D441D245F4D053
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4165.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2F012DC2DCA46965960536D2E7B16485	130FDEC75704AAE2D3FCF2D52C038DAD43A1F0F4	457197771E6CC9C165DC755BCA0402B015408E1D57299FC3E5CD083121D83A1F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F8A.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Apr 25 08:09:24 2024, 0x1205a4 type	5F50FE3F9767D714AB6C451CD9061122	DC2C321FFD4C68209876C835ECFEC99242FB8F36	D5A6F297A8F4DA3EFBA623505133B32E10079C66234FF322B6DF0D58E96D9772
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROOF OF PAYMENT.scr.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dnshost.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hXGmUcb.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	B566876512A578ADB569A5544D0B32B4	6532D9F859802B4B54268DA12FF0B4B43B5AA18D	6F50BCB942EE5C98EA29B25043E48B52B1400AB41DA4BBE32F6584BA0F5E7F20
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_255fx522.fjc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atu13qqa.nsx.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dj0qml3l.owb.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkpnrcjz.e1z.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qurb4ie0.5y5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3ert0ed.i0s.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4p5g4go.qzk.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yt00oka0.5fa.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp314F.tmp	XML 1.0 document, ASCII text	88B472B076812472F5B4858EB9C54F39	0CE2F1E5AD1BF54855EF4CDCDD81593777AB4DED	8C7F19D3BD12A0DC01F15B3647B645CE1F8466E056D0091AB1A6B30BABB765BB
C:\Users\user\AppData\Local\Temp\tmp5513.tmp	XML 1.0 document, ASCII text	88B472B076812472F5B4858EB9C54F39	0CE2F1E5AD1BF54855EF4CDCDD81593777AB4DED	8C7F19D3BD12A0DC01F15B3647B645CE1F8466E056D0091AB1A6B30BABB765BB
C:\Users\user\AppData\Local\Temp\tmp7AEB.tmp	XML 1.0 document, ASCII text	88B472B076812472F5B4858EB9C54F39	0CE2F1E5AD1BF54855EF4CDCDD81593777AB4DED	8C7F19D3BD12A0DC01F15B3647B645CE1F8466E056D0091AB1A6B30BABB765BB
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\catalog.dat	data	9E7D0351E4DF94A9B0BADCEB6A9DB963	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat	ISO-8859 text, with no line terminators	A60378C17C1F6D6CB6CFFBB7219FE6A1	9E08241101C1F89557448FC4FDD401DC35B06C09	E3A0D5A82AB7419C91C9C6A32BF07461BA802E93EF2F1CE665FC8E15A541ED96
C:\Users\user\AppData\Roaming\hXGmUcb.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	11B19B59F657910F0AF49721A77BC2DD	3078779D892BD96E5DFDDB76D491F52EEFD39A2D	C03858657307A20F2DA776BA010C76495276E80306C19B70F44342C8BCAECE85
C:\Users\user\AppData\Roaming\hXGmUcb.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	5066D8F6188A08CFAA3E0029322613DF	49D2D07A298E9B60768A137BF28D709247C46C96	0655D9CA2791FF02170B006D1D0669FD5B6E8B841F3BC85F7E3413F0646DA06B