Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PROOF OF PAYMENT.exe

Overview

General Information

Sample Name:PROOF OF PAYMENT.exe
Analysis ID:342778
MD5:dcf168394ef0a6d6774b099dd8493b75
SHA1:565c77fa9f7f22229ff5aabad52f6f9e0c5fbce0
SHA256:373e294fccf1cbc447469aeb6fc86678efbfd072b5035a295d1fc74ce6e9fd79
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PROOF OF PAYMENT.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\PROOF OF PAYMENT.exe' MD5: DCF168394EF0A6D6774B099DD8493B75)
    • schtasks.exe (PID: 6012 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5820 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DCF168394EF0A6D6774B099DD8493B75)
    • schtasks.exe (PID: 2208 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmp5106.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6780 cmdline: {path} MD5: DCF168394EF0A6D6774B099DD8493B75)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.131"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.PROOF OF PAYMENT.exe.5f70000.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      7.2.PROOF OF PAYMENT.exe.5f70000.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      7.2.PROOF OF PAYMENT.exe.5f70000.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        7.2.PROOF OF PAYMENT.exe.5ee0000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        7.2.PROOF OF PAYMENT.exe.5ee0000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        Click to see the 11 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PROOF OF PAYMENT.exe, ProcessId: 6816, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PROOF OF PAYMENT.exe' , ParentImage: C:\Users\user\Desktop\PROOF OF PAYMENT.exe, ParentProcessId: 7064, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp', ProcessId: 6012

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: PROOF OF PAYMENT.exe.6816.7.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.131"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORY
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\pJrVfPIhXgkUp.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: PROOF OF PAYMENT.exeJoe Sandbox ML: detected
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpackAvira: Label: TR/NanoCore.fadte
        Source: 17.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: PROOF OF PAYMENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: PROOF OF PAYMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: ?\C:\Windows\dll\mscorlib.pdb source: PROOF OF PAYMENT.exe, 00000007.00000002.1027251638.0000000001081000.00000004.00000020.sdmp
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 185.140.53.131
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: amechi.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.4:49750 -> 185.140.53.131:3190
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownDNS traffic detected: queries for: amechi.duckdns.org
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.698087475.0000000002BA6000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.755447551.0000000003486000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html:
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667062493.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com(
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comD
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comR
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comf
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667062493.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comt
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comueX
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comz
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers(
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.668834638.000000000B3C9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.670641038.000000000B3C3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.670715362.000000000B3C3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlormal
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669981678.000000000B39D000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.670107984.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html.
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.668897969.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.668897969.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersj
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFf
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.670674990.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic_
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.670107984.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd_
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.696672589.000000000B390000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcommm
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd_
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdiaF
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionF
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commm
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.668748768.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.669066568.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671106569.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como.
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.696672589.000000000B390000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como5
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtuedm
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comued
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.672895387.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.672733617.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/.
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.674156675.000000000B3C3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmY
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000003.667385656.000000000B39C000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667263984.000000000B39C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//Mo_
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666912527.000000000B395000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667263984.000000000B39C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/anie
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666912527.000000000B395000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667077696.000000000B399000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/on
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667077696.000000000B399000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.665018666.00000000010DC000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
        Source: dhcpmon.exe, 0000000C.00000002.754370160.0000000001598000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORY
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.1031725645.0000000005EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.PROOF OF PAYMENT.exe.5ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: PROOF OF PAYMENT.exe
        PE file contains section with special charsShow sources
        Source: PROOF OF PAYMENT.exeStatic PE information: section name: \D|.aH
        Source: pJrVfPIhXgkUp.exe.1.drStatic PE information: section name: \D|.aH
        Source: dhcpmon.exe.7.drStatic PE information: section name: \D|.aH
        PE file has nameless sectionsShow sources
        Source: PROOF OF PAYMENT.exeStatic PE information: section name:
        Source: pJrVfPIhXgkUp.exe.1.drStatic PE information: section name:
        Source: dhcpmon.exe.7.drStatic PE information: section name:
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E704F9
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E718BF
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E74498
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E72450
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E76C5F
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E735F8
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E7C260
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E72BF8
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E7A880
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E7448F
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E7784F
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E76800
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E76810
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E765E7
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E765F0
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E7B5B0
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E76AA0
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E76A97
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E76270
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E75360
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E75F60
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_0508942C
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_0508B440
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_0508B450
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 7_2_00A21DC8
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 7_2_02CDE480
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 7_2_02CDE471
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 7_2_02CDBBD4
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 7_2_06360040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D2BF8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D35F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D6C59
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D2450
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D4498
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D18B8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D04FA
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D5351
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D5F51
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D5360
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D5F60
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D779A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D43B1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D23B2
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D6270
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D6A90
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D6AA0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D5ED0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031DB5B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D65F0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D65E0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D6810
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D6800
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031DA880
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_05BBD598
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_05BBF2D8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_05BBDE00
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_00B71DC8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02D5E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02D5E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_02D5BBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0541F5F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_05419788
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0541A610
        Source: PROOF OF PAYMENT.exeBinary or memory string: OriginalFilename vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.705882982.00000000059F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.705882982.00000000059F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.697879693.0000000002AE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.705705198.00000000058F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.697967874.0000000002B2B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.696982311.0000000000741000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameW4.exe4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exeBinary or memory string: OriginalFilename vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1027198906.0000000001058000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1031587707.0000000005E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000003.700302329.00000000010E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameW4.exe4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1033040120.0000000006D30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exeBinary or memory string: OriginalFilenameW4.exe4 vs PROOF OF PAYMENT.exe
        Source: PROOF OF PAYMENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.1031725645.0000000005EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.1031725645.0000000005EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.PROOF OF PAYMENT.exe.5ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.PROOF OF PAYMENT.exe.5ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: PROOF OF PAYMENT.exeStatic PE information: Section: \D|.aH ZLIB complexity 1.00031458436
        Source: pJrVfPIhXgkUp.exe.1.drStatic PE information: Section: \D|.aH ZLIB complexity 1.00031458436
        Source: dhcpmon.exe.7.drStatic PE information: Section: \D|.aH ZLIB complexity 1.00031458436
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@12/8@27/2
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile created: C:\Users\user\AppData\Roaming\pJrVfPIhXgkUp.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\PnmXhPVzgJDQDpLkGDRIrZrAwD
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c3f2ffac-72ce-4a70-9d04-4f6a62cc4c81}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_01
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE52C.tmpJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile read: C:\Users\user\Desktop\PROOF OF PAYMENT.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.exe 'C:\Users\user\Desktop\PROOF OF PAYMENT.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.exe {path}
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmp5106.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp'
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmp5106.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: PROOF OF PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: PROOF OF PAYMENT.exeStatic file information: File size 1168384 > 1048576
        Source: PROOF OF PAYMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: ?\C:\Windows\dll\mscorlib.pdb source: PROOF OF PAYMENT.exe, 00000007.00000002.1027251638.0000000001081000.00000004.00000020.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeUnpacked PE file: 1.2.PROOF OF PAYMENT.exe.640000.0.unpack \D|.aH:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 12.2.dhcpmon.exe.e60000.0.unpack \D|.aH:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
        .NET source code contains potential unpackerShow sources
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Binary contains a suspicious time stampShow sources
        Source: initial sampleStatic PE information: 0x83ABA3EF [Sun Jan 1 20:51:59 2040 UTC]
        Source: PROOF OF PAYMENT.exeStatic PE information: section name: \D|.aH
        Source: PROOF OF PAYMENT.exeStatic PE information: section name:
        Source: pJrVfPIhXgkUp.exe.1.drStatic PE information: section name: \D|.aH
        Source: pJrVfPIhXgkUp.exe.1.drStatic PE information: section name:
        Source: dhcpmon.exe.7.drStatic PE information: section name: \D|.aH
        Source: dhcpmon.exe.7.drStatic PE information: section name:
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00721604 push cs; iretd
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_007215D8 push cs; iretd
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00722989 push ebp; retf
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E73A43 push esi; retf
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E71F2A push ebp; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00F415D8 push cs; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00F42989 push ebp; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_00F41604 push cs; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D1F2A push ebp; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_031D3A43 push esi; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_05BB34A6 push edx; iretd
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_0541B5E0 push eax; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_054169F8 pushad ; retf
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_054169FB push esp; retf
        Source: initial sampleStatic PE information: section name: \D|.aH entropy: 7.99982924254
        Source: initial sampleStatic PE information: section name: \D|.aH entropy: 7.99982924254
        Source: initial sampleStatic PE information: section name: \D|.aH entropy: 7.99982924254
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 17.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile created: C:\Users\user\AppData\Roaming\pJrVfPIhXgkUp.exeJump to dropped file
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeFile opened: C:\Users\user\Desktop\PROOF OF PAYMENT.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000001.00000002.697967874.0000000002B2B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.exe PID: 7064, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5820, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.697967874.0000000002B2B000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: PROOF OF PAYMENT.exe, 00000001.00000002.697967874.0000000002B2B000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeWindow / User API: threadDelayed 3488
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeWindow / User API: threadDelayed 5648
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeWindow / User API: foregroundWindowGot 1157
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeWindow / User API: foregroundWindowGot 410
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exe TID: 7068Thread sleep time: -31500s >= -30000s
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exe TID: 7140Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exe TID: 6616Thread sleep time: -7378697629483816s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6044Thread sleep time: -31500s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6652Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7092Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1033040120.0000000006D30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1033040120.0000000006D30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1033040120.0000000006D30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: dhcpmon.exe, 0000000C.00000002.755412411.0000000003455000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1027324927.00000000010E0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1033040120.0000000006D30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess information queried: ProcessInformation

        Anti Debugging:

        barindex
        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeCode function: 1_2_00E71698 CheckRemoteDebuggerPresent,
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess queried: DebugPort
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess queried: DebugPort
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess token adjusted: Debug
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp'
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeProcess created: C:\Users\user\Desktop\PROOF OF PAYMENT.exe {path}
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmp5106.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1029260124.000000000328A000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1027657692.0000000001790000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1027657692.0000000001790000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1031493566.0000000005E5B000.00000004.00000001.sdmpBinary or memory string: Program ManagerP
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1027657692.0000000001790000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1032071709.00000000060FC000.00000004.00000001.sdmpBinary or memory string: Program ManagerPB
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1028629577.0000000002E90000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa8k
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Users\user\Desktop\PROOF OF PAYMENT.exe VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Users\user\Desktop\PROOF OF PAYMENT.exe VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\PROOF OF PAYMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORY
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: PROOF OF PAYMENT.exe, 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PROOF OF PAYMENT.exe PID: 6816, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6780, type: MEMORY
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.5f70000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.PROOF OF PAYMENT.exe.400000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection12Masquerading2Input Capture21Security Software Discovery221Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion4LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 342778 Sample: PROOF OF PAYMENT.exe Startdate: 21/01/2021 Architecture: WINDOWS Score: 100 40 amechi.duckdns.org 2->40 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 17 other signatures 2->52 8 PROOF OF PAYMENT.exe 6 2->8         started        11 dhcpmon.exe 5 2->11         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\pJrVfPIhXgkUp.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmpE52C.tmp, XML 8->30 dropped 32 C:\Users\user\...\PROOF OF PAYMENT.exe.log, ASCII 8->32 dropped 13 PROOF OF PAYMENT.exe 1 9 8->13         started        18 schtasks.exe 1 8->18         started        20 schtasks.exe 1 11->20         started        22 dhcpmon.exe 2 11->22         started        process6 dnsIp7 42 amechi.duckdns.org 185.140.53.131, 3190, 49750, 49753 DAVID_CRAIGGG Sweden 13->42 44 192.168.2.1 unknown unknown 13->44 34 C:\Program Files (x86)\...\dhcpmon.exe, PE32 13->34 dropped 36 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 13->36 dropped 38 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 13->38 dropped 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->54 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        file8 signatures9 process10

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PROOF OF PAYMENT.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\pJrVfPIhXgkUp.exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        12.2.dhcpmon.exe.e60000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        7.2.PROOF OF PAYMENT.exe.5f70000.5.unpack100%AviraTR/NanoCore.fadteDownload File
        1.2.PROOF OF PAYMENT.exe.640000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
        17.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        7.2.PROOF OF PAYMENT.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        amechi.duckdns.org4%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.fontbureau.comionF0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.carterandcone.comueX0%Avira URL Cloudsafe
        http://www.carterandcone.comva0%Avira URL Cloudsafe
        http://www.fontbureau.comdiaF0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.fontbureau.comtuedm0%Avira URL Cloudsafe
        http://www.fontbureau.comessed0%URL Reputationsafe
        http://www.fontbureau.comessed0%URL Reputationsafe
        http://www.fontbureau.comessed0%URL Reputationsafe
        http://www.fontbureau.comued0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com(0%Avira URL Cloudsafe
        http://www.fontbureau.comcomd_0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/roso0%Avira URL Cloudsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htmY0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/50%Avira URL Cloudsafe
        http://www.carterandcone.comD0%Avira URL Cloudsafe
        http://www.ascendercorp.com/typedesigners.html:0%Avira URL Cloudsafe
        http://www.founder.com.cn/cnl0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
        http://www.carterandcone.comR0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.fontbureau.como.0%Avira URL Cloudsafe
        http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
        http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
        http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
        http://www.fontbureau.commm0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.founder.com.cn/cnf0%Avira URL Cloudsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.fontbureau.como50%Avira URL Cloudsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.fontbureau.comnc.0%Avira URL Cloudsafe
        http://www.carterandcone.comf0%Avira URL Cloudsafe
        http://www.carterandcone.come0%URL Reputationsafe
        http://www.carterandcone.come0%URL Reputationsafe
        http://www.carterandcone.come0%URL Reputationsafe
        http://www.fontbureau.comcomd0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/P0%URL Reputationsafe
        http://www.founder.com.cn/cnz0%Avira URL Cloudsafe
        http://www.carterandcone.comt0%URL Reputationsafe
        http://www.carterandcone.comt0%URL Reputationsafe
        http://www.carterandcone.comt0%URL Reputationsafe
        http://www.fontbureau.comd_0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/on0%Avira URL Cloudsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.fontbureau.comd0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp//Mo_0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/Sue0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        amechi.duckdns.org
        		185.140.53.131
        		truetrueunknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.comionFPROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.fontbureau.com/designersGPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designers/?PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
            		high
            http://www.founder.com.cn/cn/bThePROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.carterandcone.comueXPROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.fontbureau.com/designers?PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
              		high
              http://www.carterandcone.comvaPROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers/frere-user.html.PROOF OF PAYMENT.exe, 00000001.00000003.670107984.000000000B39D000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.comdiaFPROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.tiro.comdhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersdhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comtuedmPROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.comessedPROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersZPROOF OF PAYMENT.exe, 00000001.00000003.668897969.000000000B3A5000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comuedPROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.goodfont.co.krPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comPROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.com(PROOF OF PAYMENT.exe, 00000001.00000003.667062493.000000000B3A5000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.comcomd_PROOF OF PAYMENT.exe, 00000001.00000003.670107984.000000000B39D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.sajatypeworks.comPROOF OF PAYMENT.exe, 00000001.00000003.665018666.00000000010DC000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/rosoPROOF OF PAYMENT.exe, 00000001.00000003.667077696.000000000B399000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.typography.netDPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cThePROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmYPROOF OF PAYMENT.exe, 00000001.00000003.674156675.000000000B3C3000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/5PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comDPROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.ascendercorp.com/typedesigners.html:PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designersjPROOF OF PAYMENT.exe, 00000001.00000003.668897969.000000000B3A5000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cnlPROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/0PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlormalPROOF OF PAYMENT.exe, 00000001.00000003.670715362.000000000B3C3000.00000004.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comRPROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleasePROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.como.PROOF OF PAYMENT.exe, 00000001.00000003.671106569.000000000B39D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ascendercorp.com/typedesigners.htmlPROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.commmPROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                          		high
                          http://www.sandoll.co.krPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleasePROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnPROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePROOF OF PAYMENT.exe, 00000001.00000002.698087475.0000000002BA6000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.755447551.0000000003486000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnfPROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sakkal.comPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.como5PROOF OF PAYMENT.exe, 00000001.00000003.696672589.000000000B390000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comPROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/PROOF OF PAYMENT.exe, 00000001.00000003.672895387.000000000B39D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comnc.PROOF OF PAYMENT.exe, 00000001.00000003.668748768.000000000B39D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comfPROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comePROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comcomdPROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/PPROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnzPROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comtPROOF OF PAYMENT.exe, 00000001.00000003.667062493.000000000B3A5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comd_PROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.jiyu-kobo.co.jp/jp/PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/onPROOF OF PAYMENT.exe, 00000001.00000003.667077696.000000000B399000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comdPROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp//Mo_PROOF OF PAYMENT.exe, 00000001.00000003.667263984.000000000B39C000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/SuePROOF OF PAYMENT.exe, 00000001.00000003.666912527.000000000B395000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comlPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers(PROOF OF PAYMENT.exe, 00000001.00000003.675123633.000000000B39D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/cabarga.htmlNPROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cnPROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000003.666474096.000000000B3A5000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/.PROOF OF PAYMENT.exe, 00000001.00000003.672733617.000000000B39D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlPROOF OF PAYMENT.exe, 00000001.00000003.669981678.000000000B39D000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/tPROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comzPROOF OF PAYMENT.exe, 00000001.00000003.666802005.000000000B3A4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlPROOF OF PAYMENT.exe, 00000001.00000003.670641038.000000000B3C3000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/aniePROOF OF PAYMENT.exe, 00000001.00000003.667263984.000000000B39C000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/PROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmp, PROOF OF PAYMENT.exe, 00000001.00000003.667385656.000000000B39C000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comoPROOF OF PAYMENT.exe, 00000001.00000003.669066568.000000000B39D000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cno.PROOF OF PAYMENT.exe, 00000001.00000003.666742269.000000000B3A6000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8PROOF OF PAYMENT.exe, 00000001.00000002.707113887.000000000B480000.00000002.00000001.sdmp, dhcpmon.exe, 0000000C.00000002.767911748.000000000BD80000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comFfPROOF OF PAYMENT.exe, 00000001.00000003.669540752.000000000B39D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comalsPROOF OF PAYMENT.exe, 00000001.00000003.671353872.000000000B39D000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/ePROOF OF PAYMENT.exe, 00000001.00000003.666912527.000000000B395000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/fPROOF OF PAYMENT.exe, 00000001.00000003.667540587.000000000B39D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comcommmPROOF OF PAYMENT.exe, 00000001.00000003.696672589.000000000B390000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comalic_PROOF OF PAYMENT.exe, 00000001.00000003.670674990.000000000B39D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.fontbureau.com/designers/PROOF OF PAYMENT.exe, 00000001.00000003.668834638.000000000B3C9000.00000004.00000001.sdmpfalse
                                            		high

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            185.140.53.131
                                            		unknownSweden
                                            		209623DAVID_CRAIGGGtrue

                                            Private

                                            IP
                                            192.168.2.1

                                            General Information

                                            Joe Sandbox Version:31.0.0 Red Diamond
                                            Analysis ID:342778
                                            Start date:21.01.2021
                                            Start time:18:19:11
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 11m 58s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:PROOF OF PAYMENT.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:26
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@12/8@27/2
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 1.9% (good quality ratio 0.7%)
                                            • Quality average: 22.7%
                                            • Quality standard deviation: 33.2%
                                            HCA Information:
                                            • Successful, ratio: 95%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                            • TCP Packets have been reduced to 100
                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 104.43.193.48, 23.211.6.115, 40.88.32.150, 51.11.168.160, 92.122.213.247, 92.122.213.194, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129
                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            18:20:12API Interceptor1323x Sleep call for process: PROOF OF PAYMENT.exe modified
                                            18:20:26AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            18:20:42API Interceptor1x Sleep call for process: dhcpmon.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            185.140.53.131PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                              Urgent order 1812021-672 Q30721,pdf.exeGet hashmaliciousBrowse
                                                PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                  R#U00d6SLER Puchase_tcs 10-28-2020,pdf.exeGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    amechi.duckdns.orgPROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 185.140.53.131
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 185.140.53.131
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.82
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.69
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.69
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.69
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.69
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.69
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.71
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 79.134.225.73

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    DAVID_CRAIGGGSecuriteInfo.com.Artemis1A5E2411DEA6.exeGet hashmaliciousBrowse
                                                    • 91.193.75.204
                                                    Payment Invoice PDF.exeGet hashmaliciousBrowse
                                                    • 185.244.30.18
                                                    New Doc 20211401#_our new price.exeGet hashmaliciousBrowse
                                                    • 91.193.75.243
                                                    company profile.exeGet hashmaliciousBrowse
                                                    • 185.140.53.227
                                                    NEWORDERrefno0992883jpg.exeGet hashmaliciousBrowse
                                                    • 185.140.53.253
                                                    richiealvin.exeGet hashmaliciousBrowse
                                                    • 91.193.75.185
                                                    Quotation.exeGet hashmaliciousBrowse
                                                    • 185.140.53.154
                                                    DHL Delivery Shipping Cargo. Pdf.exeGet hashmaliciousBrowse
                                                    • 185.244.30.18
                                                    CompanyLicense.exeGet hashmaliciousBrowse
                                                    • 185.140.53.253
                                                    Purchase Order 2094742424.exeGet hashmaliciousBrowse
                                                    • 185.244.30.132
                                                    PURCHASE OREDER. PRINT. pdf.exeGet hashmaliciousBrowse
                                                    • 91.193.75.45
                                                    PO.exeGet hashmaliciousBrowse
                                                    • 185.140.53.234
                                                    SWIFT.exeGet hashmaliciousBrowse
                                                    • 185.140.53.154
                                                    SecuriteInfo.com.BScope.Trojan-Dropper.Injector.exeGet hashmaliciousBrowse
                                                    • 185.140.53.234
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 185.140.53.131
                                                    Orden n.#U00ba STL21119, pdf.exeGet hashmaliciousBrowse
                                                    • 185.140.53.129
                                                    Proof of Payment.exeGet hashmaliciousBrowse
                                                    • 185.244.30.51
                                                    DxCHoDnNLn.exeGet hashmaliciousBrowse
                                                    • 185.140.53.202
                                                    T7gzTHDZ7g.rtfGet hashmaliciousBrowse
                                                    • 185.140.53.202
                                                    PO - 2021-000511.exeGet hashmaliciousBrowse
                                                    • 185.244.30.69

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1168384
                                                    Entropy (8bit):7.897636731334413
                                                    Encrypted:false
                                                    SSDEEP:24576:E2cXDkZfhBL97dNqehj/5L3xqpljbfrRUoq7Ohn:E2MiBBRNb5LBepfrhqyN
                                                    MD5:DCF168394EF0A6D6774B099DD8493B75
                                                    SHA1:565C77FA9F7F22229FF5AABAD52F6F9E0C5FBCE0
                                                    SHA-256:373E294FCCF1CBC447469AEB6FC86678EFBFD072B5035A295D1FC74CE6E9FD79
                                                    SHA-512:6F19BD8C1CE255848FC9E60B92B758AC960C81E3CB4C3C7BC5E520DE5B03CFC0A2244891150B50ECC179FC35A9D7F9477E567BDD275B32B4873FE640DAFE7AC9
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    Reputation:low
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................0..............@....... ....@.. .......................`............@.....................................O............................ .......................................................@..................H............\.D|.aH..... ......................@....text............................... ..`.rsrc...............................@..@.reloc....... ......................@..B.............@...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROOF OF PAYMENT.exe.log
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                    MD5:B666A4404B132B2BF6C04FBF848EB948
                                                    SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                    SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                    SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                    MD5:B666A4404B132B2BF6C04FBF848EB948
                                                    SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                    SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                    SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Temp\tmp5106.tmp
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1646
                                                    Entropy (8bit):5.189454496599504
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGwTtn:cbhK79lNQR/rydbz9I3YODOLNdq3Z
                                                    MD5:C6FAB75DB50999549C6154EF264BE80C
                                                    SHA1:EB84E6A1F6F4CDA87BC0BFA0C33FB853876123E5
                                                    SHA-256:BE05BA07F3B94AE7D7C76A5FEF997D900D5DFA9A9E6A190EA2DD5A8736AE5391
                                                    SHA-512:8E1054F87068027847AFDF2F60CB2B6BBE2FB674C31E1A1B8C93DEF4438591709A2E705E4AD7898C236028A3A3D3972BE62FF57AF5965139C9ECF2FD2D43720D
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Local\Temp\tmpE52C.tmp
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1646
                                                    Entropy (8bit):5.189454496599504
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGwTtn:cbhK79lNQR/rydbz9I3YODOLNdq3Z
                                                    MD5:C6FAB75DB50999549C6154EF264BE80C
                                                    SHA1:EB84E6A1F6F4CDA87BC0BFA0C33FB853876123E5
                                                    SHA-256:BE05BA07F3B94AE7D7C76A5FEF997D900D5DFA9A9E6A190EA2DD5A8736AE5391
                                                    SHA-512:8E1054F87068027847AFDF2F60CB2B6BBE2FB674C31E1A1B8C93DEF4438591709A2E705E4AD7898C236028A3A3D3972BE62FF57AF5965139C9ECF2FD2D43720D
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:ISO-8859 text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):8
                                                    Entropy (8bit):3.0
                                                    Encrypted:false
                                                    SSDEEP:3:mVbP:mxP
                                                    MD5:9CC98A9DC31882B52047540E4E0B3CD1
                                                    SHA1:3C4DEE67488C1716C349FD7977DAEFCCEDE7064B
                                                    SHA-256:022A875D410DE3708A424EC637D04CF866BD83D95FE141EB0B20C3072924646A
                                                    SHA-512:CA91BA3B6DD9E4929D4F7C0CEAA0CD248D3833C04CA2E0C32BD5A203183DCBB8EC837D4ED00661979E31D310682FAD1DA675DF05DC742EE7D9E057366EB0CA54
                                                    Malicious:true
                                                    Preview: ..}.0..H
                                                    C:\Users\user\AppData\Roaming\pJrVfPIhXgkUp.exe
                                                    Process:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1168384
                                                    Entropy (8bit):7.897636731334413
                                                    Encrypted:false
                                                    SSDEEP:24576:E2cXDkZfhBL97dNqehj/5L3xqpljbfrRUoq7Ohn:E2MiBBRNb5LBepfrhqyN
                                                    MD5:DCF168394EF0A6D6774B099DD8493B75
                                                    SHA1:565C77FA9F7F22229FF5AABAD52F6F9E0C5FBCE0
                                                    SHA-256:373E294FCCF1CBC447469AEB6FC86678EFBFD072B5035A295D1FC74CE6E9FD79
                                                    SHA-512:6F19BD8C1CE255848FC9E60B92B758AC960C81E3CB4C3C7BC5E520DE5B03CFC0A2244891150B50ECC179FC35A9D7F9477E567BDD275B32B4873FE640DAFE7AC9
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................0..............@....... ....@.. .......................`............@.....................................O............................ .......................................................@..................H............\.D|.aH..... ......................@....text............................... ..`.rsrc...............................@..@.reloc....... ......................@..B.............@...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.897636731334413
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                    • Win32 Executable (generic) a (10002005/4) 49.96%
                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:PROOF OF PAYMENT.exe
                                                    File size:1168384
                                                    MD5:dcf168394ef0a6d6774b099dd8493b75
                                                    SHA1:565c77fa9f7f22229ff5aabad52f6f9e0c5fbce0
                                                    SHA256:373e294fccf1cbc447469aeb6fc86678efbfd072b5035a295d1fc74ce6e9fd79
                                                    SHA512:6f19bd8c1ce255848fc9e60b92b758ac960c81e3cb4c3c7bc5e520de5b03cfc0a2244891150b50ecc179fc35a9d7f9477e567bdd275b32b4873fe640dafe7ac9
                                                    SSDEEP:24576:E2cXDkZfhBL97dNqehj/5L3xqpljbfrRUoq7Ohn:E2MiBBRNb5LBepfrhqyN
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..............@....... ....@.. .......................`............@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x52400a
                                                    Entrypoint Section:
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x83ABA3EF [Sun Jan 1 20:51:59 2040 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00524000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1008ac0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1200000x608.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1240000x8
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x1000000x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    \D|.aH0x20000xfcf8c0xfd000False1.00031458436data7.99982924254IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                    .text0x1000000x1f3b80x1f400False0.35140625data4.85294552494IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x1200000x6080x800False0.33154296875data3.4379516301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1220000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    0x1240000x100x200False0.044921875Applesoft BASIC program data, first line number 160.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x1200a00x376data
                                                    RT_MANIFEST0x1204180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightMade Solutions International 2016
                                                    Assembly Version36.5.0.8
                                                    InternalNameW4.exe
                                                    FileVersion36.5.0.8
                                                    CompanyNameMade Solutions International
                                                    LegalTrademarks
                                                    CommentsEasynote
                                                    ProductNameAdmin App
                                                    ProductVersion36.5.0.8
                                                    FileDescriptionAdmin App
                                                    OriginalFilenameW4.exe

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 21, 2021 18:20:26.636646986 CET497503190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:26.686963081 CET319049750185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:27.198801041 CET497503190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:27.247421980 CET319049750185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:27.750178099 CET497503190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:27.801548958 CET319049750185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:32.339077950 CET497533190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:32.387886047 CET319049753185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:32.899369001 CET497533190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:32.948204041 CET319049753185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:33.467303991 CET497533190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:33.516005993 CET319049753185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:38.044141054 CET497553190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:38.093015909 CET319049755185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:38.665368080 CET497553190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:38.714430094 CET319049755185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:39.368534088 CET497553190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:39.417536974 CET319049755185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:43.754842997 CET497563190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:43.803443909 CET319049756185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:44.368943930 CET497563190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:44.417614937 CET319049756185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:45.056510925 CET497563190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:45.105313063 CET319049756185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:49.941091061 CET497593190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:49.989852905 CET319049759185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:50.599390984 CET497593190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:50.647996902 CET319049759185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:51.338809967 CET497593190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:51.387382030 CET319049759185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:55.870851040 CET497683190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:55.919444084 CET319049768185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:56.432501078 CET497683190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:56.481225014 CET319049768185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:20:56.995039940 CET497683190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:20:57.043771029 CET319049768185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:01.385477066 CET497713190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:01.434214115 CET319049771185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:01.948607922 CET497713190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:01.998749971 CET319049771185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:02.511146069 CET497713190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:02.560031891 CET319049771185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:06.981112003 CET497773190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:07.030205011 CET319049777185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:07.620959997 CET497773190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:07.669727087 CET319049777185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:08.184009075 CET497773190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:08.232570887 CET319049777185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:14.020345926 CET497783190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:14.069040060 CET319049778185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:14.574636936 CET497783190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:14.623289108 CET319049778185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:15.137156010 CET497783190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:15.185831070 CET319049778185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:19.581602097 CET497793190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:19.632669926 CET319049779185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:20.137590885 CET497793190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:20.186188936 CET319049779185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:20.700217962 CET497793190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:20.748981953 CET319049779185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:25.395379066 CET497803190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:25.444143057 CET319049780185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:25.950561047 CET497803190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:25.999279976 CET319049780185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:26.513206005 CET497803190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:26.561887980 CET319049780185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:30.962618113 CET497813190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:31.011766911 CET319049781185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:31.529175043 CET497813190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:31.579611063 CET319049781185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:32.107358932 CET497813190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:32.156056881 CET319049781185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:36.731923103 CET497833190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:36.780670881 CET319049783185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:37.295358896 CET497833190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:37.344342947 CET319049783185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:37.857836962 CET497833190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:37.906586885 CET319049783185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:42.471095085 CET497853190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:42.519733906 CET319049785185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:43.030142069 CET497853190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:43.078917980 CET319049785185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:43.592746019 CET497853190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:43.641819000 CET319049785185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:48.097086906 CET497863190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:48.145708084 CET319049786185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:48.655638933 CET497863190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:48.704374075 CET319049786185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:49.218244076 CET497863190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:49.267738104 CET319049786185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:53.814023972 CET497873190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:53.862994909 CET319049787185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:54.374924898 CET497873190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:54.423679113 CET319049787185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:54.937490940 CET497873190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:54.986247063 CET319049787185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:59.346096992 CET497883190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:59.394851923 CET319049788185.140.53.131192.168.2.4
                                                    Jan 21, 2021 18:21:59.906557083 CET497883190192.168.2.4185.140.53.131
                                                    Jan 21, 2021 18:21:59.955153942 CET319049788185.140.53.131192.168.2.4

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 21, 2021 18:19:55.067909002 CET5802853192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:55.124077082 CET53580288.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:19:55.292099953 CET5309753192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:55.360272884 CET53530978.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:19:56.059154987 CET4925753192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:56.111537933 CET53492578.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:19:57.197954893 CET6238953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:57.248848915 CET53623898.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:19:58.334696054 CET4991053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:58.382865906 CET53499108.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:19:59.385020971 CET5585453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:19:59.432925940 CET53558548.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:00.752772093 CET6454953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:00.800936937 CET53645498.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:01.719530106 CET6315353192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:01.767502069 CET53631538.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:03.152363062 CET5299153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:03.200278997 CET53529918.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:04.301790953 CET5370053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:04.349843979 CET53537008.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:05.165674925 CET5172653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:05.213634014 CET53517268.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:06.164575100 CET5679453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:06.212635040 CET53567948.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:07.111299038 CET5653453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:07.159250975 CET53565348.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:08.289347887 CET5662753192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:08.340187073 CET53566278.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:09.239306927 CET5662153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:09.290049076 CET53566218.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:10.020481110 CET6311653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:10.068592072 CET53631168.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:11.006031990 CET6407853192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:11.065057039 CET53640788.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:11.964874983 CET6480153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:12.021156073 CET53648018.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:26.377454042 CET6172153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:26.597150087 CET53617218.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:26.736705065 CET5125553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:26.788639069 CET53512558.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:32.287314892 CET6152253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:32.338031054 CET53615228.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:32.374512911 CET5233753192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:32.432138920 CET53523378.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:37.819787979 CET5504653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:38.041517019 CET53550468.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:43.690567970 CET4961253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:43.753215075 CET53496128.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:45.001816034 CET4928553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:45.061233044 CET53492858.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:49.048403025 CET5060153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:49.099143982 CET53506018.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:49.716054916 CET6087553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:49.896989107 CET5644853192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:49.939874887 CET53608758.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:49.953588963 CET53564488.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:50.628110886 CET5917253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:50.689544916 CET53591728.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:51.162794113 CET6242053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:51.219170094 CET53624208.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:51.649856091 CET6057953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:51.713937044 CET53605798.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:51.780478001 CET5018353192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:51.829261065 CET53501838.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:52.846740961 CET6153153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:52.897475004 CET53615318.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:53.946583033 CET4922853192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:53.997590065 CET53492288.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:55.800205946 CET5979453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:55.812844992 CET5591653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:55.848177910 CET53597948.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:55.869412899 CET53559168.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:56.771868944 CET5275253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:56.822704077 CET53527528.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:20:57.481784105 CET6054253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:20:57.532876015 CET53605428.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:01.327616930 CET6068953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:01.384275913 CET53606898.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:05.048038960 CET6420653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:05.106128931 CET53642068.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:06.923330069 CET5090453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:06.979444981 CET53509048.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:13.962409019 CET5752553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:14.018889904 CET53575258.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:19.522490978 CET5381453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:19.579447985 CET53538148.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:25.142821074 CET5341853192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:25.363347054 CET53534188.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:30.839421988 CET6283353192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:30.887420893 CET53628338.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:35.675800085 CET5926053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:35.726835966 CET53592608.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:36.682862997 CET4994453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:36.730860949 CET53499448.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:37.322103024 CET6330053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:37.378932953 CET53633008.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:42.412513018 CET6144953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:42.468755960 CET53614498.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:48.038727045 CET5127553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:48.094996929 CET53512758.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:53.752360106 CET6349253192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:53.811616898 CET53634928.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:21:59.287313938 CET5894553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:21:59.344736099 CET53589458.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:06.958884001 CET6077953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:07.179647923 CET53607798.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:13.336189985 CET6401453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:13.397027969 CET53640148.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:19.120923996 CET5709153192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:19.180563927 CET53570918.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:24.973064899 CET5590453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:25.033624887 CET53559048.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:30.705987930 CET5210953192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:30.762120962 CET53521098.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:36.456420898 CET5445053192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:36.686892986 CET53544508.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:42.330946922 CET4937453192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:42.389832020 CET53493748.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:48.195000887 CET5043653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:48.251329899 CET53504368.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:54.368314981 CET6260553192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:54.424686909 CET53626058.8.8.8192.168.2.4
                                                    Jan 21, 2021 18:22:59.616128922 CET5425653192.168.2.48.8.8.8
                                                    Jan 21, 2021 18:22:59.672491074 CET53542568.8.8.8192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Jan 21, 2021 18:20:26.377454042 CET192.168.2.48.8.8.80x25e9Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:32.287314892 CET192.168.2.48.8.8.80xe11eStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:37.819787979 CET192.168.2.48.8.8.80x7842Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:43.690567970 CET192.168.2.48.8.8.80xd26fStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:49.716054916 CET192.168.2.48.8.8.80xe4b8Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:55.812844992 CET192.168.2.48.8.8.80xf037Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:01.327616930 CET192.168.2.48.8.8.80x619fStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:06.923330069 CET192.168.2.48.8.8.80x7af2Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:13.962409019 CET192.168.2.48.8.8.80xa328Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:19.522490978 CET192.168.2.48.8.8.80x75b9Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:25.142821074 CET192.168.2.48.8.8.80xca7eStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:30.839421988 CET192.168.2.48.8.8.80xa158Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:36.682862997 CET192.168.2.48.8.8.80x7cedStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:42.412513018 CET192.168.2.48.8.8.80xdd3aStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:48.038727045 CET192.168.2.48.8.8.80x7241Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:53.752360106 CET192.168.2.48.8.8.80xff5cStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:59.287313938 CET192.168.2.48.8.8.80xf33bStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:06.958884001 CET192.168.2.48.8.8.80x4d84Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:13.336189985 CET192.168.2.48.8.8.80x3e3bStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:19.120923996 CET192.168.2.48.8.8.80xbcb1Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:24.973064899 CET192.168.2.48.8.8.80x3699Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:30.705987930 CET192.168.2.48.8.8.80xf2cfStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:36.456420898 CET192.168.2.48.8.8.80x9a64Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:42.330946922 CET192.168.2.48.8.8.80x4f70Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:48.195000887 CET192.168.2.48.8.8.80xde87Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:54.368314981 CET192.168.2.48.8.8.80xc231Standard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:59.616128922 CET192.168.2.48.8.8.80x2a6bStandard query (0)amechi.duckdns.orgA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Jan 21, 2021 18:20:26.597150087 CET8.8.8.8192.168.2.40x25e9No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:32.338031054 CET8.8.8.8192.168.2.40xe11eNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:38.041517019 CET8.8.8.8192.168.2.40x7842No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:43.753215075 CET8.8.8.8192.168.2.40xd26fNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:49.939874887 CET8.8.8.8192.168.2.40xe4b8No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:20:55.869412899 CET8.8.8.8192.168.2.40xf037No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:01.384275913 CET8.8.8.8192.168.2.40x619fNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:06.979444981 CET8.8.8.8192.168.2.40x7af2No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:14.018889904 CET8.8.8.8192.168.2.40xa328No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:19.579447985 CET8.8.8.8192.168.2.40x75b9No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:25.363347054 CET8.8.8.8192.168.2.40xca7eNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:30.887420893 CET8.8.8.8192.168.2.40xa158No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:36.730860949 CET8.8.8.8192.168.2.40x7cedNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:42.468755960 CET8.8.8.8192.168.2.40xdd3aNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:48.094996929 CET8.8.8.8192.168.2.40x7241No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:53.811616898 CET8.8.8.8192.168.2.40xff5cNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:21:59.344736099 CET8.8.8.8192.168.2.40xf33bNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:07.179647923 CET8.8.8.8192.168.2.40x4d84No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:13.397027969 CET8.8.8.8192.168.2.40x3e3bNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:19.180563927 CET8.8.8.8192.168.2.40xbcb1No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:25.033624887 CET8.8.8.8192.168.2.40x3699No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:30.762120962 CET8.8.8.8192.168.2.40xf2cfNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:36.686892986 CET8.8.8.8192.168.2.40x9a64No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:42.389832020 CET8.8.8.8192.168.2.40x4f70No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:48.251329899 CET8.8.8.8192.168.2.40xde87No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:54.424686909 CET8.8.8.8192.168.2.40xc231No error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)
                                                    Jan 21, 2021 18:22:59.672491074 CET8.8.8.8192.168.2.40x2a6bNo error (0)amechi.duckdns.org185.140.53.131A (IP address)IN (0x0001)

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: PROOF OF PAYMENT.exe PID: 7064 Parent PID: 5900

                                                    General

                                                    Start time:18:19:59
                                                    Start date:21/01/2021
                                                    Path:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\PROOF OF PAYMENT.exe'
                                                    Imagebase:0x640000
                                                    File size:1168384 bytes
                                                    MD5 hash:DCF168394EF0A6D6774B099DD8493B75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.701087056.0000000003B39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.697967874.0000000002B2B000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.701602201.0000000003D39000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 6012 Parent PID: 7064

                                                    General

                                                    Start time:18:20:20
                                                    Start date:21/01/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmpE52C.tmp'
                                                    Imagebase:0x1390000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 5700 Parent PID: 6012

                                                    General

                                                    Start time:18:20:21
                                                    Start date:21/01/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: PROOF OF PAYMENT.exe PID: 6816 Parent PID: 7064

                                                    General

                                                    Start time:18:20:21
                                                    Start date:21/01/2021
                                                    Path:C:\Users\user\Desktop\PROOF OF PAYMENT.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0x920000
                                                    File size:1168384 bytes
                                                    MD5 hash:DCF168394EF0A6D6774B099DD8493B75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.1026361866.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.1028093890.0000000002D01000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.1029421863.0000000003D49000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.1031888458.0000000005F70000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.1031725645.0000000005EE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.1031725645.0000000005EE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    Reputation:low

                                                    Analysis Process: dhcpmon.exe PID: 5820 Parent PID: 3424

                                                    General

                                                    Start time:18:20:36
                                                    Start date:21/01/2021
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                    Imagebase:0xe60000
                                                    File size:1168384 bytes
                                                    MD5 hash:DCF168394EF0A6D6774B099DD8493B75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.758221792.0000000004617000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.757375675.000000000441B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 2208 Parent PID: 5820

                                                    General

                                                    Start time:18:20:45
                                                    Start date:21/01/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pJrVfPIhXgkUp' /XML 'C:\Users\user\AppData\Local\Temp\tmp5106.tmp'
                                                    Imagebase:0x1390000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 2044 Parent PID: 2208

                                                    General

                                                    Start time:18:20:46
                                                    Start date:21/01/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: dhcpmon.exe PID: 6780 Parent PID: 5820

                                                    General

                                                    Start time:18:20:46
                                                    Start date:21/01/2021
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0xa70000
                                                    File size:1168384 bytes
                                                    MD5 hash:DCF168394EF0A6D6774B099DD8493B75
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.770483355.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.772863265.0000000003EA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.772748001.0000000002EA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >