Source: Copyofreceipt.exe.6620.5.memstr |
Malware Configuration Extractor: Agenttesla {"Username: ": "3ZVFxxx2W", "URL: ": "https://0SOrICva3tdSq4g.net", "To: ": "zenovia@ccglass.co.za", "ByHost: ": "mail.ccglass.co.za:587", "Password: ": "BKDXwAbUo", "From: ": "zenovia@ccglass.co.za"} |
Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp |
String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp |
String found in binary or memory: http://DynDns.comDynDNS |
Source: Copyofreceipt.exe, 00000005.00000002.470932330.00000000033A6000.00000004.00000001.sdmp |
String found in binary or memory: http://ccglass.co.za |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://fontfabrik.com |
Source: Copyofreceipt.exe, 00000005.00000002.470932330.00000000033A6000.00000004.00000001.sdmp |
String found in binary or memory: http://mail.ccglass.co.za |
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.carterandcone.coml |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designers? |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.fontbureau.com/designersG |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.fonts.com |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.founder.com.cn/cn |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.goodfont.co.kr |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.sajatypeworks.com |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.sakkal.com |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.sandoll.co.kr |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.tiro.com |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.typography.netD |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.urwpp.deDPlease |
Source: Copyofreceipt.exe, 00000000.00000002.222383017.0000000006AE2000.00000004.00000001.sdmp |
String found in binary or memory: http://www.zhongyicts.com.cn |
Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp |
String found in binary or memory: http://zJtUrL.com |
Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp |
String found in binary or memory: https://0SOrICva3tdSq4g.net |
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp |
String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css |
Source: Copyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp, Copyofreceipt.exe, 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: Copyofreceipt.exe, 00000005.00000002.468914912.00000000030F1000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: Copyofreceipt.exe, frmlogin.cs |
Long String: Length: 13656 |
Source: ZnTVKjXRZvpJV.exe.0.dr, frmlogin.cs |
Long String: Length: 13656 |
Source: 0.0.Copyofreceipt.exe.650000.0.unpack, frmlogin.cs |
Long String: Length: 13656 |
Source: 0.2.Copyofreceipt.exe.650000.0.unpack, frmlogin.cs |
Long String: Length: 13656 |
Source: 4.0.Copyofreceipt.exe.350000.0.unpack, frmlogin.cs |
Long String: Length: 13656 |
Source: 4.2.Copyofreceipt.exe.350000.0.unpack, frmlogin.cs |
Long String: Length: 13656 |
Source: 5.2.Copyofreceipt.exe.d50000.1.unpack, frmlogin.cs |
Long String: Length: 13656 |
Source: 5.0.Copyofreceipt.exe.d50000.0.unpack, frmlogin.cs |
Long String: Length: 13656 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_00659526 |
0_2_00659526 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_0106C0D4 |
0_2_0106C0D4 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_0106E5A0 |
0_2_0106E5A0 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_04F247F8 |
0_2_04F247F8 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_04F247F2 |
0_2_04F247F2 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_0714C1B0 |
0_2_0714C1B0 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_07140040 |
0_2_07140040 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_07142E58 |
0_2_07142E58 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_07142E68 |
0_2_07142E68 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_07140D80 |
0_2_07140D80 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_07142C18 |
0_2_07142C18 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_07142C07 |
0_2_07142C07 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_0714D273 |
0_2_0714D273 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 0_2_0714617A |
0_2_0714617A |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 4_2_00359526 |
4_2_00359526 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_00D59526 |
5_2_00D59526 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01222D50 |
5_2_01222D50 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_0122DF60 |
5_2_0122DF60 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01222768 |
5_2_01222768 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01221FE0 |
5_2_01221FE0 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_0122BAA8 |
5_2_0122BAA8 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_014520E0 |
5_2_014520E0 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01457EB8 |
5_2_01457EB8 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_014595F8 |
5_2_014595F8 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_0145EA28 |
5_2_0145EA28 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_014596A8 |
5_2_014596A8 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01540040 |
5_2_01540040 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01549418 |
5_2_01549418 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01545CDC |
5_2_01545CDC |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_0154C340 |
5_2_0154C340 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01541780 |
5_2_01541780 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01544C10 |
5_2_01544C10 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01540006 |
5_2_01540006 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_0154F27A |
5_2_0154F27A |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_017446A0 |
5_2_017446A0 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_01745372 |
5_2_01745372 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_017435C4 |
5_2_017435C4 |
Source: C:\Users\user\Desktop\Copyofreceipt.exe |
Code function: 5_2_017445B0 |
5_2_017445B0 |
Source: Copyofreceipt.exe, 00000000.00000000.197376752.00000000006D2000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000000.00000002.222618081.0000000006ED0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemscorrc.dllT vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000000.00000002.223262000.0000000007A90000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000000.00000002.223262000.0000000007A90000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000000.00000002.217766303.00000000029AD000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameAsyncState.dllF vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000000.00000002.218072836.0000000003979000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameTXcrTtQyrOyUCSetTraHqGQSCLsAHRDhA.exe4 vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000000.00000002.223124965.00000000079A0000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000004.00000000.215163381.00000000003D2000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000005.00000002.464492892.0000000001168000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000005.00000002.464792709.0000000001230000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamewshom.ocx.mui vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000005.00000002.463450155.0000000000402000.00000040.00000001.sdmp |
Binary or memory string: OriginalFilenameTXcrTtQyrOyUCSetTraHqGQSCLsAHRDhA.exe4 vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000005.00000002.464365715.0000000000DD2000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe |
Source: Copyofreceipt.exe, 00000005.00000002.467174113.0000000001460000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemscorrc.dllT vs Copyofreceipt.exe |
Source: Copyofreceipt.exe |
Binary or memory string: OriginalFilenamePEFileKinds.exe4 vs Copyofreceipt.exe |
Source: Copyofreceipt.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: ZnTVKjXRZvpJV.exe.0.dr |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: 5.2.Copyofreceipt.exe.400000.0.unpack, A/b2.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 5.2.Copyofreceipt.exe.400000.0.unpack, A/b2.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: Copyofreceipt.exe, frmlogin.cs |
Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNL |