Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT_TT_COPYINVOICE001262021.pdf.exe

Overview

General Information

Sample Name:PAYMENT_TT_COPYINVOICE001262021.pdf.exe
Analysis ID:344664
MD5:84f159a6d9b73e029d2b7e2c34cccf3b
SHA1:f941d4e4366561b492273b5d097119f296f7fa22
SHA256:69e6c181fa23893493acdf273050519eee74c052a8240fb967bfe7bb2d687c2b

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PAYMENT_TT_COPYINVOICE001262021.pdf.exe (PID: 6008 cmdline: 'C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe' MD5: 84F159A6D9B73E029D2B7E2C34CCCF3B)
    • schtasks.exe (PID: 5720 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PAYMENT_TT_COPYINVOICE001262021.pdf.exe (PID: 4788 cmdline: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe MD5: 84F159A6D9B73E029D2B7E2C34CCCF3B)
      • schtasks.exe (PID: 5468 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8731.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • PAYMENT_TT_COPYINVOICE001262021.pdf.exe (PID: 2436 cmdline: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe 0 MD5: 84F159A6D9B73E029D2B7E2C34CCCF3B)
    • schtasks.exe (PID: 5260 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F15.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["91.193.75.45"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x4eb0d:$a: NanoCore
    • 0x4eb66:$a: NanoCore
    • 0x4eba3:$a: NanoCore
    • 0x4ec1c:$a: NanoCore
    • 0x541b1:$a: NanoCore
    • 0x541fb:$a: NanoCore
    • 0x543e5:$a: NanoCore
    • 0x67d04:$a: NanoCore
    • 0x67d19:$a: NanoCore
    • 0x67d4e:$a: NanoCore
    • 0x80ceb:$a: NanoCore
    • 0x80d00:$a: NanoCore
    • 0x80d35:$a: NanoCore
    • 0x4eb6f:$b: ClientPlugin
    • 0x4ebac:$b: ClientPlugin
    • 0x4f4aa:$b: ClientPlugin
    • 0x4f4b7:$b: ClientPlugin
    • 0x53f4a:$b: ClientPlugin
    • 0x541ba:$b: ClientPlugin
    • 0x54204:$b: ClientPlugin
    • 0x67ac0:$b: ClientPlugin
    00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    Click to see the 36 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5f00000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1646:$x1: NanoCore.ClientPluginHost
    3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5f00000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1646:$x2: NanoCore.ClientPluginHost
    • 0x1724:$s4: PipeCreated
    • 0x1660:$s5: IClientLoggingHost
    3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 13 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe, ProcessId: 4788, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe' , ParentImage: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe, ParentProcessId: 6008, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp', ProcessId: 5720
      Sigma detected: Suspicious Double ExtensionShow sources
      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe, CommandLine: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe, NewProcessName: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe, OriginalFileName: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe' , ParentImage: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe, ParentProcessId: 6008, ProcessCommandLine: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe, ProcessId: 4788

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5256.9.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["91.193.75.45"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exeVirustotal: Detection: 42%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeVirustotal: Detection: 42%Perma Link
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.623216945.000000000459F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.241805191.0000000003551000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeJoe Sandbox ML: detected
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpackAvira: Label: TR/NanoCore.fadte
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Uses new MSVCR DllsShow sources
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: System.pdbbp"dA source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: System.pdbb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: 32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000003.234792260.0000000001488000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.621749990.0000000003541000.00000004.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\System.pdbe source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218131146.0000000005300000.00000002.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624887466.0000000005C30000.00000002.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.228280342.0000000004910000.00000002.00000001.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then jmp 02C3AD7Dh
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then jmp 02C3AD7Dh
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then jmp 02C3AD7Dh
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then jmp 02C3AD7Dh
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then mov esp, ebp
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then mov esp, ebp
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then jmp 0239A665h
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then jmp 0239A665h
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then jmp 0239A665h
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 4x nop then jmp 0239A665h

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49719 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49720 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49721 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49726 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49760 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49764 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49765 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49768 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49769 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49770 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49781 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49782 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49783 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49784 -> 91.193.75.45:3387
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49785 -> 91.193.75.45:3387
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorIPs: 91.193.75.45
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: timnoipnew.ddns.net
      Source: global trafficTCP traffic: 192.168.2.3:49719 -> 91.193.75.45:3387
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_03182DAA WSARecv,
      Source: unknownDNS traffic detected: queries for: timnoipnew.ddns.net
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.623216945.000000000459F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.241805191.0000000003551000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.625122849.0000000005F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5f00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5c90000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: initial sampleStatic PE information: Filename: PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_0549111E NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_054910ED NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_031815DE NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_031815A3 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_04A40C56 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_04A40C25 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C312F8
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C31840
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C315A8
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C33A6D
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C32450
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C3243F
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C31597
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_031023A0
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_03102FA8
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_03109638
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_03108A38
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_0310CE58
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_0310B298
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_03103850
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_031096FF
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_0310306F
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_02391308
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_02398020
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_02391840
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_023915A8
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_02393A6D
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_023912F8
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_0239243F
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_02392450
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_02391597
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 9_2_031E3850
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 9_2_031E2FA8
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 9_2_031E306F
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.217779628.0000000004293000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218131146.0000000005300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218559865.0000000005E70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000000.208544459.0000000000ADC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLocalDataStoreElement.exe: vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218686980.0000000005F70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218686980.0000000005F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.217424729.0000000003171000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624534911.0000000005990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000000.215184824.0000000000D8C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLocalDataStoreElement.exe: vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.621749990.0000000003541000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619591305.0000000003150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624887466.0000000005C30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.228339752.0000000004A10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.230767566.0000000005580000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.230767566.0000000005580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.226688408.00000000000CC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLocalDataStoreElement.exe: vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.229561806.0000000004DD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.230573821.0000000005480000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.226992512.000000000085A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.228280342.0000000004910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000000.225963442.0000000000E6C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLocalDataStoreElement.exe: vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.243232065.0000000005750000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeBinary or memory string: OriginalFilenameLocalDataStoreElement.exe: vs PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: windows.staterepositoryps.dll
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.625122849.0000000005F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.625122849.0000000005F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5f00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5f00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5c90000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.5c90000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: KIgtQYTewUpkIc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@15/9@32/2
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_05490FA2 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_05490F6B AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_0318139E AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_03181367 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_04A40ADA AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 6_2_04A40AA3 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeFile created: C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{7bde8b34-23a2-4eb0-b342-f2ec89249790}
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4784:120:WilError_01
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4B0D.tmpJump to behavior
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeVirustotal: Detection: 42%
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeFile read: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe 'C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8731.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe 0
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F15.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp'
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8731.tmp'
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F15.tmp'
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: System.pdbbp"dA source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: System.pdbb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: 32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000003.234792260.0000000001488000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.621749990.0000000003541000.00000004.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\System.pdbe source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.218131146.0000000005300000.00000002.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624887466.0000000005C30000.00000002.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.228280342.0000000004910000.00000002.00000001.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619282824.0000000001886000.00000004.00000040.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0x9A57B927 [Sun Jan 21 08:58:15 2052 UTC]
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_011A7A16 push cs; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_011A778A push ecx; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_011A7A3B push cs; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_011A7B59 push cs; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37ACB push edi; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37AF3 pushad ; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37A87 push 5B6602C3h; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37AA7 push edx; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37A43 push eax; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37A4F push edx; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37A53 push ebp; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37A07 push esi; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37A1F push ebx; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C3235B push ds; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C32333 push ds; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C378CB push eax; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37887 push edi; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C3784B pushad ; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37807 push ebx; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C379C3 push ecx; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C379EB push edi; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C379FB push edx; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37987 pushad ; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C3799B push esp; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C3797F push edi; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37697 push 56DE02C3h; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C37667 push eax; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C3761F push esp; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C3762F push edx; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C3774F pushad ; ret
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 0_2_02C3775B push 5CE002C3h; ret
      Source: initial sampleStatic PE information: section name: .text entropy: 7.68934855761
      Source: initial sampleStatic PE information: section name: .text entropy: 7.68934855761
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeFile created: C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeFile opened: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe:Zone.Identifier read attributes | delete
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: 00000000.00000002.217488646.00000000031E8000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.217424729.0000000003171000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.227611167.0000000002721000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.217488646.00000000031E8000.00000004.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.217488646.00000000031E8000.00000004.00000001.sdmp, PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeWindow / User API: threadDelayed 565
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeWindow / User API: threadDelayed 744
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeWindow / User API: foregroundWindowGot 1277
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeWindow / User API: foregroundWindowGot 427
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 5748Thread sleep time: -53560s >= -30000s
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 5352Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 1276Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 2292Thread sleep time: -260000s >= -30000s
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 1376Thread sleep time: -49072s >= -30000s
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 2296Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe TID: 3112Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_031810C6 GetSystemInfo,
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624534911.0000000005990000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624534911.0000000005990000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.618953714.000000000142A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)Py
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624534911.0000000005990000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.618953714.000000000142A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWS#:
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624534911.0000000005990000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeMemory written: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeMemory written: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp'
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8731.tmp'
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F15.tmp'
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeProcess created: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.622758634.0000000003703000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619382768.0000000001C50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619382768.0000000001C50000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.619382768.0000000001C50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.618953714.000000000142A000.00000004.00000020.sdmpBinary or memory string: Program Managere=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.623216945.000000000459F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.241805191.0000000003551000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000003.00000002.621749990.0000000003541000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: PAYMENT_TT_COPYINVOICE001262021.pdf.exe, 00000009.00000002.241836475.0000000003572000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.623216945.000000000459F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.241805191.0000000003551000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008, type: MEMORY
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_031828EE bind,
      Source: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exeCode function: 3_2_0318289C bind,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScheduled Task/Job1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture11File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobScheduled Task/Job1Access Token Manipulation1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery3Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Obfuscated Files or Information13Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Software Packing13NTDSSecurity Software Discovery211Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsVirtualization/Sandbox Evasion3SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading11DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection112Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 344664 Sample: PAYMENT_TT_COPYINVOICE00126... Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 44 timnoipnew.ddns.net 2->44 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 18 other signatures 2->58 9 PAYMENT_TT_COPYINVOICE001262021.pdf.exe 7 2->9         started        13 PAYMENT_TT_COPYINVOICE001262021.pdf.exe 4 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\KIgtQYTewUpkIc.exe, PE32 9->36 dropped 38 C:\...\KIgtQYTewUpkIc.exe:Zone.Identifier, ASCII 9->38 dropped 40 C:\Users\user\AppData\Local\...\tmp4B0D.tmp, XML 9->40 dropped 42 PAYMENT_TT_COPYINV...1262021.pdf.exe.log, ASCII 9->42 dropped 60 Injects a PE file into a foreign processes 9->60 15 PAYMENT_TT_COPYINVOICE001262021.pdf.exe 11 9->15         started        20 schtasks.exe 1 9->20         started        22 schtasks.exe 1 13->22         started        24 PAYMENT_TT_COPYINVOICE001262021.pdf.exe 2 13->24         started        signatures6 process7 dnsIp8 46 timnoipnew.ddns.net 91.193.75.45, 3387, 49719, 49720 DAVID_CRAIGGG Serbia 15->46 48 192.168.2.1 unknown unknown 15->48 34 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 15->34 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->50 26 schtasks.exe 1 15->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file9 signatures10 process11 process12 32 conhost.exe 26->32         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      PAYMENT_TT_COPYINVOICE001262021.pdf.exe42%VirustotalBrowse
      PAYMENT_TT_COPYINVOICE001262021.pdf.exe9%ReversingLabsWin32.Trojan.Pwsx
      PAYMENT_TT_COPYINVOICE001262021.pdf.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exe42%VirustotalBrowse
      C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exe9%ReversingLabsWin32.Trojan.Pwsx

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.6050000.7.unpack100%AviraTR/NanoCore.fadteDownload File
      3.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.PAYMENT_TT_COPYINVOICE001262021.pdf.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      timnoipnew.ddns.net
      		91.193.75.45
      		truetrue
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        91.193.75.45
        		unknownSerbia
        		209623DAVID_CRAIGGGtrue

        Private

        IP
        192.168.2.1

        General Information

        Joe Sandbox Version:31.0.0 Emerald
        Analysis ID:344664
        Start date:26.01.2021
        Start time:21:33:31
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 11m 14s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:PAYMENT_TT_COPYINVOICE001262021.pdf.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:40
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@15/9@32/2
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • TCP Packets have been reduced to 100
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
        • Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.193.48, 40.88.32.150, 13.64.90.137, 52.255.188.83, 104.43.139.144, 51.11.168.160, 95.101.22.125, 95.101.22.134, 92.122.253.206, 23.62.99.18, 23.62.99.26, 20.54.26.129, 2.20.157.220, 51.104.139.180, 52.155.217.156
        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        21:34:22API Interceptor1585x Sleep call for process: PAYMENT_TT_COPYINVOICE001262021.pdf.exe modified
        21:34:27Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe" s>$(Arg0)

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        91.193.75.45PURCHASE OREDER. PRINT. pdf.exeGet hashmaliciousBrowse

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          DAVID_CRAIGGGeTDAg77Nif.exeGet hashmaliciousBrowse
          • 91.193.75.94
          hG8XQh9hMy.exeGet hashmaliciousBrowse
          • 91.193.75.94
          SecuriteInfo.com.Trojan.Siggen11.59480.29168.exeGet hashmaliciousBrowse
          • 91.193.75.94
          qp38gXDG87.exeGet hashmaliciousBrowse
          • 91.193.75.94
          Quote#SO2021010197.pdf.exeGet hashmaliciousBrowse
          • 91.193.75.185
          SecuriteInfo.com.Trojan.DownLoader36.37095.24479.exeGet hashmaliciousBrowse
          • 185.140.53.149
          OTT MT103_211412199807_OP03202101150042_20210119_6190008_1.exeGet hashmaliciousBrowse
          • 91.193.75.182
          TNT SHIPMENT AWB_IMAGE CI_FROM TNT AWB# 167095453_PDF_________.EXEGet hashmaliciousBrowse
          • 91.193.75.155
          9A87wdxsuh.exeGet hashmaliciousBrowse
          • 91.193.75.204
          PROOF OF PAYMENT.exeGet hashmaliciousBrowse
          • 185.140.53.131
          SecuriteInfo.com.Artemis1A5E2411DEA6.exeGet hashmaliciousBrowse
          • 91.193.75.204
          Payment Invoice PDF.exeGet hashmaliciousBrowse
          • 185.244.30.18
          New Doc 20211401#_our new price.exeGet hashmaliciousBrowse
          • 91.193.75.243
          company profile.exeGet hashmaliciousBrowse
          • 185.140.53.227
          NEWORDERrefno0992883jpg.exeGet hashmaliciousBrowse
          • 185.140.53.253
          richiealvin.exeGet hashmaliciousBrowse
          • 91.193.75.185
          Quotation.exeGet hashmaliciousBrowse
          • 185.140.53.154
          DHL Delivery Shipping Cargo. Pdf.exeGet hashmaliciousBrowse
          • 185.244.30.18
          CompanyLicense.exeGet hashmaliciousBrowse
          • 185.140.53.253
          Purchase Order 2094742424.exeGet hashmaliciousBrowse
          • 185.244.30.132

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PAYMENT_TT_COPYINVOICE001262021.pdf.exe.log
          Process:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):664
          Entropy (8bit):5.288448637977022
          Encrypted:false
          SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
          MD5:B1DB55991C3DA14E35249AEA1BC357CA
          SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
          SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
          SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
          Malicious:true
          Reputation:moderate, very likely benign file
          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
          C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp
          Process:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1647
          Entropy (8bit):5.195355045323717
          Encrypted:false
          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBatn:cbh47TlNQ//rydbz9I3YODOLNdq36
          MD5:4D74817CFF3E30A5F0AF3D7A0ABCE7B7
          SHA1:CD11190CF9126DCF0FE2B02D5E0DD4592DCC174F
          SHA-256:9B8C81CF1A60FE2F4CFFB754F2A7B28F6CE5E602D55ABE378D17D7B98C0ED3F7
          SHA-512:9C3F42BD404B17B8491FCAAF48294E5B1FFE3C866CA4CEBE00A01A5264702E9E579C61716A032E4B86BD15DF64BB9DC2AFD0F52259725C5FAACAB2C120F4E957
          Malicious:true
          Reputation:low
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
          C:\Users\user\AppData\Local\Temp\tmp4F15.tmp
          Process:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1647
          Entropy (8bit):5.195355045323717
          Encrypted:false
          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBatn:cbh47TlNQ//rydbz9I3YODOLNdq36
          MD5:4D74817CFF3E30A5F0AF3D7A0ABCE7B7
          SHA1:CD11190CF9126DCF0FE2B02D5E0DD4592DCC174F
          SHA-256:9B8C81CF1A60FE2F4CFFB754F2A7B28F6CE5E602D55ABE378D17D7B98C0ED3F7
          SHA-512:9C3F42BD404B17B8491FCAAF48294E5B1FFE3C866CA4CEBE00A01A5264702E9E579C61716A032E4B86BD15DF64BB9DC2AFD0F52259725C5FAACAB2C120F4E957
          Malicious:false
          Reputation:low
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
          C:\Users\user\AppData\Local\Temp\tmp8731.tmp
          Process:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1325
          Entropy (8bit):5.168235519124868
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0/+IOk8Vxtn:cbk4oL600QydbQxIYODOLedq383P8Vj
          MD5:9C55D71B6105631C8248121E7083A5DB
          SHA1:F0F576068A4B94B9A110E295FB3C7A0DC00A2294
          SHA-256:02DFB514337664548E807506DA82DBFB23862F20B35640DD2BAF58ECCDFBC0DB
          SHA-512:C82965147A52C8151DC0AEE6F6C8E5196492B80B67B975477247BA5342CEF9352A13EC388209B454E9FBD8AF17438FEE0C058980A561A4E0DE9E1D8BA33102C6
          Malicious:false
          Reputation:low
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
          Process:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          File Type:data
          Category:dropped
          Size (bytes):1984
          Entropy (8bit):6.997351629001838
          Encrypted:false
          SSDEEP:48:IkXCNlkXCNlkXCNlkXCNlkXCNlkXCNlkXCNlkXCg:QRRRRRRk
          MD5:01ACA3E1FB99EBB1C4A590CCF8E5DBF5
          SHA1:B73F827028C10498E94F4442F00D5CA303F0555F
          SHA-256:F131557702B8641631E80AD18CEBFA9B6376A7870629CA4C5386511907BCFF82
          SHA-512:2A02D1A86688C17B39C8EBE2070C6D119D302F0DEC9712391B9D80CA9B0A45E16B59FBA02A149A6FA9BB395E49E6F831BD21754E21531868B2BC314EA34D9AE7
          Malicious:false
          Reputation:low
          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*.............S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.|ZGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*.............S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.|ZGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*.............S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.|ZGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*.............S.Ty.K.&....q$.7....."....F... .N.k.C.X.D.^.....u.\...X........s^.;...m/.,7X..v"B..#.T.F L...h.....t 5.|ZGj.h\.3.
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Process:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          File Type:Non-ISO extended-ASCII text, with NEL line terminators
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:yS1Pn:ycP
          MD5:F29DC7E43E84E1DAC23F0EE480D3B686
          SHA1:1333F272FA4053D8A46980A939DDD4CEF35B98E1
          SHA-256:D4A100D1C2F52263D2ECE5B09A55315E9EE38748A362DF896146696B059AE35E
          SHA-512:D756B64D5D3BA83347A785C7BE30FB11648700DEEDEB05750E94DA28B77D60CFF0D1AB0CE601AF0C734743D73537DBE731FF6477C1BEEDE0FF0779372C89CEA3
          Malicious:true
          Reputation:low
          Preview: ,..5...H
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
          Process:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):62
          Entropy (8bit):4.925576350534983
          Encrypted:false
          SSDEEP:3:oNWXp5v1k+0x6mTKDkFiV2C:oNWXpFu+IOk8kC
          MD5:A9983E872884738EFF30BD9E1876AD24
          SHA1:EA86E75B0D9E93AB4FBD32922E782B8882FA74CB
          SHA-256:C6A3469719B2A1524BD9571E7577E1C15A28D20DD8CF54364C452A5CF289765C
          SHA-512:5187E90A270951A960E256E9AF65CE091C0F0949C0376DDC14178961B56EE95D10BF50BBA63A2E089A9A46001FA5BBAA19C39DD180DC715E34CDA763C7838F18
          Malicious:false
          Reputation:low
          Preview: C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exe
          Process:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):560640
          Entropy (8bit):7.678556658487106
          Encrypted:false
          SSDEEP:12288:ZSsJE3bGh84YuU/XM9O+Zss5IKmzmyuvhEyW1WF+pTYS+rTi2tnm071f:ZnE3QjNEslp5CIbWgS+rVZd1
          MD5:84F159A6D9B73E029D2B7E2C34CCCF3B
          SHA1:F941D4E4366561B492273B5D097119F296F7FA22
          SHA-256:69E6C181FA23893493ACDF273050519EEE74C052A8240FB967BFE7BB2D687C2B
          SHA-512:3EADAC075228F4FC4B11B56DE506B8CE0C7116285C2D204FEB986FD6DCFBB2E36B56905510838DBD74DDB600CFAFF595CF1775C1D5D6CB20193870EBEEEA7AB2
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: Virustotal, Detection: 42%, Browse
          • Antivirus: ReversingLabs, Detection: 9%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.W...............P.............n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........K..............(F...[...........................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....o....('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*&..(3....*...0..<........~.....(4.....,!r...p.....(5...o6...s7............~.....
          C:\Users\user\AppData\Roaming\KIgtQYTewUpkIc.exe:Zone.Identifier
          Process:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Reputation:high, very likely benign file
          Preview: [ZoneTransfer]....ZoneId=0

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.678556658487106
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          • Win32 Executable (generic) a (10002005/4) 49.75%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Windows Screen Saver (13104/52) 0.07%
          • Generic Win/DOS Executable (2004/3) 0.01%
          File name:PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          File size:560640
          MD5:84f159a6d9b73e029d2b7e2c34cccf3b
          SHA1:f941d4e4366561b492273b5d097119f296f7fa22
          SHA256:69e6c181fa23893493acdf273050519eee74c052a8240fb967bfe7bb2d687c2b
          SHA512:3eadac075228f4fc4b11b56de506b8ce0c7116285c2d204feb986fd6dcfbb2e36b56905510838dbd74ddb600cfaff595cf1775c1d5d6cb20193870ebeeea7ab2
          SSDEEP:12288:ZSsJE3bGh84YuU/XM9O+Zss5IKmzmyuvhEyW1WF+pTYS+rTi2tnm071f:ZnE3QjNEslp5CIbWgS+rVZd1
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.W...............P.............n.... ........@.. ....................................@................................

          File Icon

          Icon Hash:00828e8e8686b000

          Static PE Info

          General

          Entrypoint:0x48a26e
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x9A57B927 [Sun Jan 21 08:58:15 2052 UTC]
          TLS Callbacks:
          CLR (.Net) Version:v2.0.50727
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x8a21c0x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x5ec.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x8a2000x1c.text
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000x882740x88400False0.831024225917data7.68934855761IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rsrc0x8c0000x5ec0x600False0.431640625data4.17333335024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x8e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_VERSION0x8c0900x35cdata
          RT_MANIFEST0x8c3fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Version Infos

          DescriptionData
          Translation0x0000 0x04b0
          LegalCopyrightCopyright 2018
          Assembly Version1.0.0.0
          InternalNameLocalDataStoreElement.exe
          FileVersion1.0.0.0
          CompanyName
          LegalTrademarks
          Comments
          ProductNamebroke-mobile
          ProductVersion1.0.0.0
          FileDescriptionbroke-mobile
          OriginalFilenameLocalDataStoreElement.exe

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          01/26/21-21:34:28.539168TCP2025019ET TROJAN Possible NanoCore C2 60B497193387192.168.2.391.193.75.45
          01/26/21-21:34:34.822502TCP2025019ET TROJAN Possible NanoCore C2 60B497203387192.168.2.391.193.75.45
          01/26/21-21:34:41.361541TCP2025019ET TROJAN Possible NanoCore C2 60B497213387192.168.2.391.193.75.45
          01/26/21-21:34:47.620554TCP2025019ET TROJAN Possible NanoCore C2 60B497263387192.168.2.391.193.75.45
          01/26/21-21:34:53.794741TCP2025019ET TROJAN Possible NanoCore C2 60B497303387192.168.2.391.193.75.45
          01/26/21-21:35:00.021001TCP2025019ET TROJAN Possible NanoCore C2 60B497313387192.168.2.391.193.75.45
          01/26/21-21:35:06.184662TCP2025019ET TROJAN Possible NanoCore C2 60B497333387192.168.2.391.193.75.45
          01/26/21-21:35:12.464819TCP2025019ET TROJAN Possible NanoCore C2 60B497343387192.168.2.391.193.75.45
          01/26/21-21:35:18.625120TCP2025019ET TROJAN Possible NanoCore C2 60B497383387192.168.2.391.193.75.45
          01/26/21-21:35:24.918080TCP2025019ET TROJAN Possible NanoCore C2 60B497443387192.168.2.391.193.75.45
          01/26/21-21:35:31.191644TCP2025019ET TROJAN Possible NanoCore C2 60B497453387192.168.2.391.193.75.45
          01/26/21-21:35:37.527166TCP2025019ET TROJAN Possible NanoCore C2 60B497463387192.168.2.391.193.75.45
          01/26/21-21:35:43.789996TCP2025019ET TROJAN Possible NanoCore C2 60B497473387192.168.2.391.193.75.45
          01/26/21-21:35:51.101138TCP2025019ET TROJAN Possible NanoCore C2 60B497483387192.168.2.391.193.75.45
          01/26/21-21:35:57.314843TCP2025019ET TROJAN Possible NanoCore C2 60B497513387192.168.2.391.193.75.45
          01/26/21-21:36:03.569450TCP2025019ET TROJAN Possible NanoCore C2 60B497593387192.168.2.391.193.75.45
          01/26/21-21:36:09.731186TCP2025019ET TROJAN Possible NanoCore C2 60B497603387192.168.2.391.193.75.45
          01/26/21-21:36:15.904502TCP2025019ET TROJAN Possible NanoCore C2 60B497613387192.168.2.391.193.75.45
          01/26/21-21:36:22.070901TCP2025019ET TROJAN Possible NanoCore C2 60B497623387192.168.2.391.193.75.45
          01/26/21-21:36:28.538558TCP2025019ET TROJAN Possible NanoCore C2 60B497633387192.168.2.391.193.75.45
          01/26/21-21:36:34.753076TCP2025019ET TROJAN Possible NanoCore C2 60B497643387192.168.2.391.193.75.45
          01/26/21-21:36:42.895678TCP2025019ET TROJAN Possible NanoCore C2 60B497653387192.168.2.391.193.75.45
          01/26/21-21:36:49.314662TCP2025019ET TROJAN Possible NanoCore C2 60B497683387192.168.2.391.193.75.45
          01/26/21-21:36:55.583749TCP2025019ET TROJAN Possible NanoCore C2 60B497693387192.168.2.391.193.75.45
          01/26/21-21:37:02.078984TCP2025019ET TROJAN Possible NanoCore C2 60B497703387192.168.2.391.193.75.45
          01/26/21-21:37:08.619524TCP2025019ET TROJAN Possible NanoCore C2 60B497813387192.168.2.391.193.75.45
          01/26/21-21:37:15.154244TCP2025019ET TROJAN Possible NanoCore C2 60B497823387192.168.2.391.193.75.45
          01/26/21-21:37:21.330291TCP2025019ET TROJAN Possible NanoCore C2 60B497833387192.168.2.391.193.75.45
          01/26/21-21:37:27.620885TCP2025019ET TROJAN Possible NanoCore C2 60B497843387192.168.2.391.193.75.45
          01/26/21-21:37:33.801755TCP2025019ET TROJAN Possible NanoCore C2 60B497853387192.168.2.391.193.75.45

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 26, 2021 21:34:28.221275091 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:28.508975029 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:28.509073019 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:28.539167881 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:28.840147972 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:28.843693018 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:29.171382904 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:29.171475887 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:29.458030939 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:29.458127975 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:29.794974089 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:29.795252085 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.123100042 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.123217106 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.164719105 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.164767027 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.164804935 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.164870024 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.164917946 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.164925098 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.165018082 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.165055990 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.165092945 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.165101051 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.165128946 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.165148973 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.165179014 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.165185928 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.165256977 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.165294886 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.165333986 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.165345907 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.165359020 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.165410042 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.386796951 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.453315020 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.453368902 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.453421116 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.453457117 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454128981 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454174042 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454204082 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454211950 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454277039 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454279900 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454318047 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454349041 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454368114 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454410076 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454430103 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454447031 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454483986 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454511881 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454524040 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454561949 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454561949 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454602957 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454632044 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454639912 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454691887 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454711914 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454736948 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454762936 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454775095 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454843998 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:30.454891920 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.454927921 CET33874971991.193.75.45192.168.2.3
          Jan 26, 2021 21:34:30.455013990 CET497193387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:34.519819021 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:34.815891027 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:34.816118956 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:34.822501898 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:35.125354052 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:35.125446081 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:35.472032070 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:35.476351976 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:35.770724058 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:35.775935888 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:36.126689911 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.127995968 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:36.469949007 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.470155001 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:36.502815008 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.502872944 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.502912998 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.502949953 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.502983093 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:36.502986908 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.503005981 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:36.503022909 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:36.503025055 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.503073931 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.503076077 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:36.503083944 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:36.503115892 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.503154039 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.503175974 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:36.503185987 CET497203387192.168.2.391.193.75.45
          Jan 26, 2021 21:34:36.503190041 CET33874972091.193.75.45192.168.2.3
          Jan 26, 2021 21:34:36.503209114 CET497203387192.168.2.391.193.75.45

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 26, 2021 21:34:16.855967045 CET6010053192.168.2.38.8.8.8
          Jan 26, 2021 21:34:16.872390985 CET53601008.8.8.8192.168.2.3
          Jan 26, 2021 21:34:17.654673100 CET5319553192.168.2.38.8.8.8
          Jan 26, 2021 21:34:17.669891119 CET53531958.8.8.8192.168.2.3
          Jan 26, 2021 21:34:18.489129066 CET5014153192.168.2.38.8.8.8
          Jan 26, 2021 21:34:18.504183054 CET53501418.8.8.8192.168.2.3
          Jan 26, 2021 21:34:19.314449072 CET5302353192.168.2.38.8.8.8
          Jan 26, 2021 21:34:19.332118988 CET53530238.8.8.8192.168.2.3
          Jan 26, 2021 21:34:20.715987921 CET4956353192.168.2.38.8.8.8
          Jan 26, 2021 21:34:20.734266996 CET53495638.8.8.8192.168.2.3
          Jan 26, 2021 21:34:21.511385918 CET5135253192.168.2.38.8.8.8
          Jan 26, 2021 21:34:21.526686907 CET53513528.8.8.8192.168.2.3
          Jan 26, 2021 21:34:22.318942070 CET5934953192.168.2.38.8.8.8
          Jan 26, 2021 21:34:22.334333897 CET53593498.8.8.8192.168.2.3
          Jan 26, 2021 21:34:23.135422945 CET5708453192.168.2.38.8.8.8
          Jan 26, 2021 21:34:23.150850058 CET53570848.8.8.8192.168.2.3
          Jan 26, 2021 21:34:24.478683949 CET5882353192.168.2.38.8.8.8
          Jan 26, 2021 21:34:24.493927956 CET53588238.8.8.8192.168.2.3
          Jan 26, 2021 21:34:25.302822113 CET5756853192.168.2.38.8.8.8
          Jan 26, 2021 21:34:25.318388939 CET53575688.8.8.8192.168.2.3
          Jan 26, 2021 21:34:28.194581032 CET5054053192.168.2.38.8.8.8
          Jan 26, 2021 21:34:28.211956024 CET53505408.8.8.8192.168.2.3
          Jan 26, 2021 21:34:34.498286009 CET5436653192.168.2.38.8.8.8
          Jan 26, 2021 21:34:34.518697977 CET53543668.8.8.8192.168.2.3
          Jan 26, 2021 21:34:41.047509909 CET5303453192.168.2.38.8.8.8
          Jan 26, 2021 21:34:41.067560911 CET53530348.8.8.8192.168.2.3
          Jan 26, 2021 21:34:41.857954025 CET5776253192.168.2.38.8.8.8
          Jan 26, 2021 21:34:41.873091936 CET53577628.8.8.8192.168.2.3
          Jan 26, 2021 21:34:44.503434896 CET5543553192.168.2.38.8.8.8
          Jan 26, 2021 21:34:44.520620108 CET53554358.8.8.8192.168.2.3
          Jan 26, 2021 21:34:47.308022022 CET5071353192.168.2.38.8.8.8
          Jan 26, 2021 21:34:47.325588942 CET53507138.8.8.8192.168.2.3
          Jan 26, 2021 21:34:50.223699093 CET5613253192.168.2.38.8.8.8
          Jan 26, 2021 21:34:50.266227007 CET53561328.8.8.8192.168.2.3
          Jan 26, 2021 21:34:53.483220100 CET5898753192.168.2.38.8.8.8
          Jan 26, 2021 21:34:53.502099991 CET53589878.8.8.8192.168.2.3
          Jan 26, 2021 21:34:59.687489033 CET5657953192.168.2.38.8.8.8
          Jan 26, 2021 21:34:59.705272913 CET53565798.8.8.8192.168.2.3
          Jan 26, 2021 21:35:05.578206062 CET6063353192.168.2.38.8.8.8
          Jan 26, 2021 21:35:05.595531940 CET53606338.8.8.8192.168.2.3
          Jan 26, 2021 21:35:05.868284941 CET6129253192.168.2.38.8.8.8
          Jan 26, 2021 21:35:05.885848999 CET53612928.8.8.8192.168.2.3
          Jan 26, 2021 21:35:12.155966997 CET6361953192.168.2.38.8.8.8
          Jan 26, 2021 21:35:12.171849012 CET53636198.8.8.8192.168.2.3
          Jan 26, 2021 21:35:16.564371109 CET6493853192.168.2.38.8.8.8
          Jan 26, 2021 21:35:16.579802036 CET53649388.8.8.8192.168.2.3
          Jan 26, 2021 21:35:18.313263893 CET6194653192.168.2.38.8.8.8
          Jan 26, 2021 21:35:18.331748009 CET53619468.8.8.8192.168.2.3
          Jan 26, 2021 21:35:19.363354921 CET6491053192.168.2.38.8.8.8
          Jan 26, 2021 21:35:19.384030104 CET53649108.8.8.8192.168.2.3
          Jan 26, 2021 21:35:24.607584000 CET5212353192.168.2.38.8.8.8
          Jan 26, 2021 21:35:24.625030994 CET53521238.8.8.8192.168.2.3
          Jan 26, 2021 21:35:30.867216110 CET5613053192.168.2.38.8.8.8
          Jan 26, 2021 21:35:30.885668039 CET53561308.8.8.8192.168.2.3
          Jan 26, 2021 21:35:37.206720114 CET5633853192.168.2.38.8.8.8
          Jan 26, 2021 21:35:37.223685026 CET53563388.8.8.8192.168.2.3
          Jan 26, 2021 21:35:43.469353914 CET5942053192.168.2.38.8.8.8
          Jan 26, 2021 21:35:43.488487005 CET53594208.8.8.8192.168.2.3
          Jan 26, 2021 21:35:49.687550068 CET5878453192.168.2.38.8.8.8
          Jan 26, 2021 21:35:50.690193892 CET5878453192.168.2.38.8.8.8
          Jan 26, 2021 21:35:50.706217051 CET53587848.8.8.8192.168.2.3
          Jan 26, 2021 21:35:51.467000008 CET6397853192.168.2.38.8.8.8
          Jan 26, 2021 21:35:51.485899925 CET53639788.8.8.8192.168.2.3
          Jan 26, 2021 21:35:56.995178938 CET6293853192.168.2.38.8.8.8
          Jan 26, 2021 21:35:57.015609980 CET53629388.8.8.8192.168.2.3
          Jan 26, 2021 21:35:59.864432096 CET5570853192.168.2.38.8.8.8
          Jan 26, 2021 21:35:59.888310909 CET53557088.8.8.8192.168.2.3
          Jan 26, 2021 21:36:01.496521950 CET5680353192.168.2.38.8.8.8
          Jan 26, 2021 21:36:01.515527964 CET53568038.8.8.8192.168.2.3
          Jan 26, 2021 21:36:03.261023998 CET5714553192.168.2.38.8.8.8
          Jan 26, 2021 21:36:03.277000904 CET53571458.8.8.8192.168.2.3
          Jan 26, 2021 21:36:09.420207024 CET5535953192.168.2.38.8.8.8
          Jan 26, 2021 21:36:09.436007023 CET53553598.8.8.8192.168.2.3
          Jan 26, 2021 21:36:15.591367960 CET5830653192.168.2.38.8.8.8
          Jan 26, 2021 21:36:15.611401081 CET53583068.8.8.8192.168.2.3
          Jan 26, 2021 21:36:21.753237963 CET6412453192.168.2.38.8.8.8
          Jan 26, 2021 21:36:21.771533012 CET53641248.8.8.8192.168.2.3
          Jan 26, 2021 21:36:28.224842072 CET4936153192.168.2.38.8.8.8
          Jan 26, 2021 21:36:28.242247105 CET53493618.8.8.8192.168.2.3
          Jan 26, 2021 21:36:34.440299988 CET6315053192.168.2.38.8.8.8
          Jan 26, 2021 21:36:34.456792116 CET53631508.8.8.8192.168.2.3
          Jan 26, 2021 21:36:40.845942020 CET5327953192.168.2.38.8.8.8
          Jan 26, 2021 21:36:41.865894079 CET5327953192.168.2.38.8.8.8
          Jan 26, 2021 21:36:42.592725039 CET53532798.8.8.8192.168.2.3
          Jan 26, 2021 21:36:43.745194912 CET5688153192.168.2.38.8.8.8
          Jan 26, 2021 21:36:43.760828972 CET53568818.8.8.8192.168.2.3
          Jan 26, 2021 21:36:44.074570894 CET5364253192.168.2.38.8.8.8
          Jan 26, 2021 21:36:44.101372004 CET53536428.8.8.8192.168.2.3
          Jan 26, 2021 21:36:48.966114044 CET5566753192.168.2.38.8.8.8
          Jan 26, 2021 21:36:48.983299017 CET53556678.8.8.8192.168.2.3
          Jan 26, 2021 21:36:55.268508911 CET5483353192.168.2.38.8.8.8
          Jan 26, 2021 21:36:55.286046982 CET53548338.8.8.8192.168.2.3
          Jan 26, 2021 21:37:01.744647980 CET6247653192.168.2.38.8.8.8
          Jan 26, 2021 21:37:01.760329962 CET53624768.8.8.8192.168.2.3
          Jan 26, 2021 21:37:03.007324934 CET4970553192.168.2.38.8.8.8
          Jan 26, 2021 21:37:03.024019957 CET53497058.8.8.8192.168.2.3
          Jan 26, 2021 21:37:03.376055002 CET6147753192.168.2.38.8.8.8
          Jan 26, 2021 21:37:03.406825066 CET53614778.8.8.8192.168.2.3
          Jan 26, 2021 21:37:03.812606096 CET6163353192.168.2.38.8.8.8
          Jan 26, 2021 21:37:03.830101967 CET53616338.8.8.8192.168.2.3
          Jan 26, 2021 21:37:04.539793015 CET5594953192.168.2.38.8.8.8
          Jan 26, 2021 21:37:04.555706978 CET53559498.8.8.8192.168.2.3
          Jan 26, 2021 21:37:06.214651108 CET5760153192.168.2.38.8.8.8
          Jan 26, 2021 21:37:06.231595039 CET53576018.8.8.8192.168.2.3
          Jan 26, 2021 21:37:06.691870928 CET4934253192.168.2.38.8.8.8
          Jan 26, 2021 21:37:06.707829952 CET53493428.8.8.8192.168.2.3
          Jan 26, 2021 21:37:07.018578053 CET5625353192.168.2.38.8.8.8
          Jan 26, 2021 21:37:07.034485102 CET53562538.8.8.8192.168.2.3
          Jan 26, 2021 21:37:07.423369884 CET4966753192.168.2.38.8.8.8
          Jan 26, 2021 21:37:07.440964937 CET53496678.8.8.8192.168.2.3
          Jan 26, 2021 21:37:07.880471945 CET5543953192.168.2.38.8.8.8
          Jan 26, 2021 21:37:07.896198988 CET53554398.8.8.8192.168.2.3
          Jan 26, 2021 21:37:08.139673948 CET5706953192.168.2.38.8.8.8
          Jan 26, 2021 21:37:08.157744884 CET53570698.8.8.8192.168.2.3
          Jan 26, 2021 21:37:08.308775902 CET5765953192.168.2.38.8.8.8
          Jan 26, 2021 21:37:08.326914072 CET53576598.8.8.8192.168.2.3
          Jan 26, 2021 21:37:14.834070921 CET5471753192.168.2.38.8.8.8
          Jan 26, 2021 21:37:14.853471994 CET53547178.8.8.8192.168.2.3
          Jan 26, 2021 21:37:21.018053055 CET6397553192.168.2.38.8.8.8
          Jan 26, 2021 21:37:21.036380053 CET53639758.8.8.8192.168.2.3
          Jan 26, 2021 21:37:27.226201057 CET5663953192.168.2.38.8.8.8
          Jan 26, 2021 21:37:27.242166996 CET53566398.8.8.8192.168.2.3
          Jan 26, 2021 21:37:33.492626905 CET5185653192.168.2.38.8.8.8
          Jan 26, 2021 21:37:33.508668900 CET53518568.8.8.8192.168.2.3

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
          Jan 26, 2021 21:34:28.194581032 CET192.168.2.38.8.8.80x1a99Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:34:34.498286009 CET192.168.2.38.8.8.80x8f16Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:34:41.047509909 CET192.168.2.38.8.8.80x726eStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:34:47.308022022 CET192.168.2.38.8.8.80xac82Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:34:53.483220100 CET192.168.2.38.8.8.80x40f8Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:34:59.687489033 CET192.168.2.38.8.8.80x1750Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:35:05.868284941 CET192.168.2.38.8.8.80xaf2dStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:35:12.155966997 CET192.168.2.38.8.8.80xcaadStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:35:18.313263893 CET192.168.2.38.8.8.80x1c64Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:35:24.607584000 CET192.168.2.38.8.8.80xcdc8Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:35:30.867216110 CET192.168.2.38.8.8.80xc3cfStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:35:37.206720114 CET192.168.2.38.8.8.80x735bStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:35:43.469353914 CET192.168.2.38.8.8.80x89b5Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:35:49.687550068 CET192.168.2.38.8.8.80xefe2Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:35:50.690193892 CET192.168.2.38.8.8.80xefe2Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:35:56.995178938 CET192.168.2.38.8.8.80xb81cStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:36:03.261023998 CET192.168.2.38.8.8.80xbdc1Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:36:09.420207024 CET192.168.2.38.8.8.80x8a77Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:36:15.591367960 CET192.168.2.38.8.8.80x2a28Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:36:21.753237963 CET192.168.2.38.8.8.80xca81Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:36:28.224842072 CET192.168.2.38.8.8.80x8c6eStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:36:34.440299988 CET192.168.2.38.8.8.80x1bfaStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:36:40.845942020 CET192.168.2.38.8.8.80xc888Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:36:41.865894079 CET192.168.2.38.8.8.80xc888Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:36:48.966114044 CET192.168.2.38.8.8.80x4d33Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:36:55.268508911 CET192.168.2.38.8.8.80xf9ccStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:37:01.744647980 CET192.168.2.38.8.8.80x8cbfStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:37:08.308775902 CET192.168.2.38.8.8.80xbbbcStandard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:37:14.834070921 CET192.168.2.38.8.8.80x3e62Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:37:21.018053055 CET192.168.2.38.8.8.80xb719Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:37:27.226201057 CET192.168.2.38.8.8.80xae80Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)
          Jan 26, 2021 21:37:33.492626905 CET192.168.2.38.8.8.80x2904Standard query (0)timnoipnew.ddns.netA (IP address)IN (0x0001)

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
          Jan 26, 2021 21:34:28.211956024 CET8.8.8.8192.168.2.30x1a99No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:34:34.518697977 CET8.8.8.8192.168.2.30x8f16No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:34:41.067560911 CET8.8.8.8192.168.2.30x726eNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:34:47.325588942 CET8.8.8.8192.168.2.30xac82No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:34:53.502099991 CET8.8.8.8192.168.2.30x40f8No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:34:59.705272913 CET8.8.8.8192.168.2.30x1750No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:35:05.885848999 CET8.8.8.8192.168.2.30xaf2dNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:35:12.171849012 CET8.8.8.8192.168.2.30xcaadNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:35:18.331748009 CET8.8.8.8192.168.2.30x1c64No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:35:24.625030994 CET8.8.8.8192.168.2.30xcdc8No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:35:30.885668039 CET8.8.8.8192.168.2.30xc3cfNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:35:37.223685026 CET8.8.8.8192.168.2.30x735bNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:35:43.488487005 CET8.8.8.8192.168.2.30x89b5No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:35:50.706217051 CET8.8.8.8192.168.2.30xefe2No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:35:57.015609980 CET8.8.8.8192.168.2.30xb81cNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:36:03.277000904 CET8.8.8.8192.168.2.30xbdc1No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:36:09.436007023 CET8.8.8.8192.168.2.30x8a77No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:36:15.611401081 CET8.8.8.8192.168.2.30x2a28No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:36:21.771533012 CET8.8.8.8192.168.2.30xca81No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:36:28.242247105 CET8.8.8.8192.168.2.30x8c6eNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:36:34.456792116 CET8.8.8.8192.168.2.30x1bfaNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:36:42.592725039 CET8.8.8.8192.168.2.30xc888No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:36:48.983299017 CET8.8.8.8192.168.2.30x4d33No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:36:55.286046982 CET8.8.8.8192.168.2.30xf9ccNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:37:01.760329962 CET8.8.8.8192.168.2.30x8cbfNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:37:08.326914072 CET8.8.8.8192.168.2.30xbbbcNo error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:37:14.853471994 CET8.8.8.8192.168.2.30x3e62No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:37:21.036380053 CET8.8.8.8192.168.2.30xb719No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:37:27.242166996 CET8.8.8.8192.168.2.30xae80No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)
          Jan 26, 2021 21:37:33.508668900 CET8.8.8.8192.168.2.30x2904No error (0)timnoipnew.ddns.net91.193.75.45A (IP address)IN (0x0001)

          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          Analysis Process: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 6008 Parent PID: 5724

          General

          Start time:21:34:22
          Start date:26/01/2021
          Path:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe'
          Imagebase:0xa50000
          File size:560640 bytes
          MD5 hash:84F159A6D9B73E029D2B7E2C34CCCF3B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.217488646.00000000031E8000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.217645175.0000000004171000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.217424729.0000000003171000.00000004.00000001.sdmp, Author: Joe Security
          Reputation:low

          Analysis Process: schtasks.exe PID: 5720 Parent PID: 6008

          General

          Start time:21:34:23
          Start date:26/01/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4B0D.tmp'
          Imagebase:0xe40000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 5988 Parent PID: 5720

          General

          Start time:21:34:24
          Start date:26/01/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6b2800000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 4788 Parent PID: 6008

          General

          Start time:21:34:25
          Start date:26/01/2021
          Path:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          Imagebase:0xd00000
          File size:560640 bytes
          MD5 hash:84F159A6D9B73E029D2B7E2C34CCCF3B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.624947695.0000000005C90000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.625221873.0000000006050000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.623216945.000000000459F000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.616162634.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.625122849.0000000005F00000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.625122849.0000000005F00000.00000004.00000001.sdmp, Author: Florian Roth
          Reputation:low

          Analysis Process: schtasks.exe PID: 5468 Parent PID: 4788

          General

          Start time:21:34:26
          Start date:26/01/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8731.tmp'
          Imagebase:0xe40000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 1124 Parent PID: 5468

          General

          Start time:21:34:26
          Start date:26/01/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6b2800000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 2436 Parent PID: 528

          General

          Start time:21:34:27
          Start date:26/01/2021
          Path:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe 0
          Imagebase:0x40000
          File size:560640 bytes
          MD5 hash:84F159A6D9B73E029D2B7E2C34CCCF3B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.227636059.000000000275E000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.227909192.0000000003721000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.227611167.0000000002721000.00000004.00000001.sdmp, Author: Joe Security
          Reputation:low

          Analysis Process: schtasks.exe PID: 5260 Parent PID: 2436

          General

          Start time:21:34:29
          Start date:26/01/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KIgtQYTewUpkIc' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F15.tmp'
          Imagebase:0xe40000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: conhost.exe PID: 4784 Parent PID: 5260

          General

          Start time:21:34:29
          Start date:26/01/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff6b2800000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          Analysis Process: PAYMENT_TT_COPYINVOICE001262021.pdf.exe PID: 5256 Parent PID: 2436

          General

          Start time:21:34:30
          Start date:26/01/2021
          Path:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\PAYMENT_TT_COPYINVOICE001262021.pdf.exe
          Imagebase:0xde0000
          File size:560640 bytes
          MD5 hash:84F159A6D9B73E029D2B7E2C34CCCF3B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.241857341.0000000004551000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.240020828.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.241805191.0000000003551000.00000004.00000001.sdmp, Author: Joe Security
          Reputation:low

          Disassembly

          Code Analysis

          Reset < >