Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report payment invoice.exe

Overview

General Information

Sample Name:payment invoice.exe
Analysis ID:431785
MD5:845d5dc8393bf7652f744e7fa7dfb3c3
SHA1:f83096a377039cfdbcfb930a98fd1b78691c4456
SHA256:3aa4556bd929b55c5a51ea8cd76865fd4e27b880ec483aa8a94582071cdef24d
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • payment invoice.exe (PID: 6660 cmdline: 'C:\Users\user\Desktop\payment invoice.exe' MD5: 845D5DC8393BF7652F744E7FA7DFB3C3)
    • schtasks.exe (PID: 6332 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • payment invoice.exe (PID: 6568 cmdline: {path} MD5: 845D5DC8393BF7652F744E7FA7DFB3C3)
      • schtasks.exe (PID: 408 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD79F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • payment invoice.exe (PID: 976 cmdline: 'C:\Users\user\Desktop\payment invoice.exe' 0 MD5: 845D5DC8393BF7652F744E7FA7DFB3C3)
    • schtasks.exe (PID: 1688 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmp70E1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "64d6914b-2a13-4387-9ead-01228df9", "Group": "Default", "Domain1": "ifybest85fff.ddns.net", "Domain2": "194.5.98.23", "Port": 7600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 78 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.2.payment invoice.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        11.2.payment invoice.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        11.2.payment invoice.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          11.2.payment invoice.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          • 0x1643c:$g: LogClientMessage
          • 0x12637:$i: get_Connected
          • 0x10db8:$j: #=q
          • 0x10de8:$j: #=q
          • 0x10e04:$j: #=q
          • 0x10e34:$j: #=q
          • 0x10e50:$j: #=q
          • 0x10e6c:$j: #=q
          • 0x10e9c:$j: #=q
          • 0x10eb8:$j: #=q
          11.2.payment invoice.exe.6f10000.23.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x16e3:$x1: NanoCore.ClientPluginHost
          • 0x171c:$x2: IClientNetworkHost
          Click to see the 155 entries

          Sigma Overview

          AV Detection:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\payment invoice.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          E-Banking Fraud:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\payment invoice.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Stealing of Sensitive Information:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\payment invoice.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Remote Access Functionality:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\payment invoice.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "64d6914b-2a13-4387-9ead-01228df9", "Group": "Default", "Domain1": "ifybest85fff.ddns.net", "Domain2": "194.5.98.23", "Port": 7600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
          Multi AV Scanner detection for domain / URLShow sources
          Source: ifybest85fff.ddns.netVirustotal: Detection: 6%Perma Link
          Source: ifybest85fff.ddns.netVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\GotewYBrdNy.exeReversingLabs: Detection: 29%
          Multi AV Scanner detection for submitted fileShow sources
          Source: payment invoice.exeVirustotal: Detection: 44%Perma Link
          Source: payment invoice.exeReversingLabs: Detection: 29%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORY
          Source: Yara matchFile source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\GotewYBrdNy.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: payment invoice.exeJoe Sandbox ML: detected
          Source: 11.0.payment invoice.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.2.payment invoice.exe.3ac95f8.6.unpackAvira: Label: TR/NanoCore.fadte
          Source: 25.0.payment invoice.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.2.payment invoice.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 25.2.payment invoice.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.0.payment invoice.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 25.0.payment invoice.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 11.2.payment invoice.exe.5470000.17.unpackAvira: Label: TR/NanoCore.fadte
          Source: payment invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: payment invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: (P$p,C:\Windows\System.pdb source: payment invoice.exe, 0000000B.00000002.649382803.00000000069EC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: ifybest85fff.ddns.net
          Source: Malware configuration extractorURLs: 194.5.98.23
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: ifybest85fff.ddns.net
          Source: global trafficTCP traffic: 192.168.2.6:49741 -> 194.5.98.23:7600
          Source: Joe Sandbox ViewIP Address: 194.5.98.23 194.5.98.23
          Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
          Source: unknownDNS traffic detected: queries for: ifybest85fff.ddns.net
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: payment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: payment invoice.exe, 00000000.00000002.467752646.0000000001977000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comahY
          Source: payment invoice.exe, 00000000.00000002.467752646.0000000001977000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comic
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: payment invoice.exe, 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORY
          Source: Yara matchFile source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.649963116.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.650188515.0000000006F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650157575.0000000006F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.648469077.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.646977313.0000000003C89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650009265.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.650292848.0000000006F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650225160.0000000006F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650482817.0000000006F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.650261294.0000000006F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650324913.0000000006F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000B.00000002.647259512.0000000003E25000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000B.00000002.650370900.0000000006F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6f10000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f70000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e817b7.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f90000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6c50000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e98a16.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3c9a7cd.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6fe0000.34.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3c8e599.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6f90000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6fa4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f60000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6c50000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f30000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f60000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f40000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6fae8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e14ca6.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6fe0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.2ab4e0c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f50000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f50000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f20000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6f20000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6c40000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6f30000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.2af1c64.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.2ae5a1c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6fa0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.5280000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3c8e599.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3c8e599.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 25.2.payment invoice.exe.2b095f4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3caedfa.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3caedfa.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6f70000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.2af1c64.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.6fa0000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.3e14ca6.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e98a16.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e817b7.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e817b7.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e8a5e6.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3e8a5e6.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.6c40000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.2b062a0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.2ae5a1c.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 11.2.payment invoice.exe.3c9a7cd.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 11.2.payment invoice.exe.3c9a7cd.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: payment invoice.exe
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 0_2_0586C5CC
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 0_2_0586E56B
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 0_2_0586E570
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06FF3F48
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06FF3330
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06FE42EB
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06FE46D3
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06FE3324
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0291E480
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0291E473
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0291BBD4
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06269608
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_062689F0
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_062696C6
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_06269940
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_028AC5CC
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_028AE562
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_028AE570
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553F910
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553EAF8
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05537518
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05537528
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05533710
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05533720
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05536EB8
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05536EA7
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553B1A0
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05536B70
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05536B69
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_08491E18
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 25_2_00F9E480
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 25_2_00F9E471
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 25_2_00F9BBD4
          Source: payment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs payment invoice.exe
          Source: payment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs payment invoice.exe
          Source: payment invoice.exe, 00000000.00000002.466020857.0000000000FC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEUZihe.exeR vs payment invoice.exe
          Source: payment invoice.exe, 00000000.00000002.481878309.000000000EF40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs payment invoice.exe
          Source: payment invoice.exeBinary or memory string: OriginalFilename vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.648831283.0000000005F10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.640978089.00000000006C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEUZihe.exeR vs payment invoice.exe
          Source: payment invoice.exe, 0000000B.00000002.650727872.0000000007120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000000.473925014.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEUZihe.exeR vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000002.576337167.000000000E0B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000002.576337167.000000000E0B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs payment invoice.exe
          Source: payment invoice.exe, 00000010.00000002.575920545.000000000DFC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000000.565896101.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEUZihe.exeR vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000002.583975546.0000000000D98000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs payment invoice.exe
          Source: payment invoice.exe, 00000019.00000002.586964569.0000000004FB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs payment invoice.exe
          Source: payment invoice.exeBinary or memory string: OriginalFilenameEUZihe.exeR vs payment invoice.exe
          Source: payment invoice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.649963116.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.649963116.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.650188515.0000000006F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650188515.0000000006F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650157575.0000000006F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650157575.0000000006F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.648469077.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.648469077.0000000005280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.646977313.0000000003C89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650009265.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650009265.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.650292848.0000000006F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650292848.0000000006F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650225160.0000000006F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650225160.0000000006F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650482817.0000000006F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650482817.0000000006F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.650261294.0000000006F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650261294.0000000006F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650324913.0000000006F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650324913.0000000006F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000B.00000002.647259512.0000000003E25000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000B.00000002.650370900.0000000006F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000B.00000002.650370900.0000000006F70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6f10000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f10000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f70000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f70000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e817b7.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e817b7.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f90000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f90000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6c50000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6c50000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e98a16.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e98a16.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3c9a7cd.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3c9a7cd.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6fe0000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fe0000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3c8e599.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3c8e599.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6f90000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f90000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6fa4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fa4c9f.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f60000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f60000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6c50000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6c50000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f30000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f30000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f60000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f60000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f40000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f40000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6fae8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fae8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e14ca6.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e14ca6.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6fe0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fe0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.2ab4e0c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.2ab4e0c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f50000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f50000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f50000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f50000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f20000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f20000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6f20000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f20000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6c40000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6c40000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6f30000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f30000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.2af1c64.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.2af1c64.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.2ae5a1c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.2ae5a1c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6fa0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fa0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.5280000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.5280000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3c8e599.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3c8e599.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 25.2.payment invoice.exe.2b095f4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.2b095f4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3caedfa.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3caedfa.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6f70000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6f70000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.2af1c64.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.6fa0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6fa0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.3e14ca6.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e14ca6.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e98a16.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e98a16.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e817b7.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e817b7.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e817b7.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e8a5e6.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e8a5e6.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.3e8a5e6.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3e8a5e6.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.6c40000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.6c40000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 11.2.payment invoice.exe.2b062a0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.2ae5a1c.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.2.payment invoice.exe.3c9a7cd.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 11.2.payment invoice.exe.3c9a7cd.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: classification engineClassification label: mal100.troj.evad.winEXE@15/11@12/1
          Source: C:\Users\user\Desktop\payment invoice.exeFile created: C:\Users\user\AppData\Roaming\GotewYBrdNy.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
          Source: C:\Users\user\Desktop\payment invoice.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{64d6914b-2a13-4387-9ead-01228df90732}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4648:120:WilError_01
          Source: C:\Users\user\Desktop\payment invoice.exeMutant created: \Sessions\1\BaseNamedObjects\XXQFmKqbhRlUJSEysVNVGeSPP
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_01
          Source: C:\Users\user\Desktop\payment invoice.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC705.tmpJump to behavior
          Source: payment invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\payment invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\payment invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\payment invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\payment invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\payment invoice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\payment invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: payment invoice.exeVirustotal: Detection: 44%
          Source: payment invoice.exeReversingLabs: Detection: 29%
          Source: C:\Users\user\Desktop\payment invoice.exeFile read: C:\Users\user\Desktop\payment invoice.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\payment invoice.exe 'C:\Users\user\Desktop\payment invoice.exe'
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD79F.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\payment invoice.exe 'C:\Users\user\Desktop\payment invoice.exe' 0
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmp70E1.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp'
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD79F.tmp'
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmp70E1.tmp'
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}
          Source: C:\Users\user\Desktop\payment invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\payment invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: payment invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: payment invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: (P$p,C:\Windows\System.pdb source: payment invoice.exe, 0000000B.00000002.649382803.00000000069EC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 0_2_00EC7B89 push ebx; ret
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 0_2_0586E518 push eax; ret
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_005C7B89 push ebx; ret
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0626639C push edx; retf
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 11_2_0626BC08 pushad ; ret
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_005E7B89 push ebx; ret
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_028AE518 push eax; ret
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_05534F41 push edx; ret
          Source: C:\Users\user\Desktop\payment invoice.exeCode function: 16_2_0553398A push ecx; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.30117922021
          Source: initial sampleStatic PE information: section name: .text entropy: 7.30117922021
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 11.0.payment invoice.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 11.2.payment invoice.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 11.0.payment invoice.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 25.0.payment invoice.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 25.2.payment invoice.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 25.0.payment invoice.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\payment invoice.exeFile created: C:\Users\user\AppData\Roaming\GotewYBrdNy.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\payment invoice.exeFile opened: C:\Users\user\Desktop\payment invoice.exe:Zone.Identifier read attributes | delete
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORY
          Source: Yara matchFile source: 0.2.payment invoice.exe.341d068.1.raw.unpack, type: UNPACKEDPE
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: payment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: payment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\payment invoice.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\payment invoice.exeWindow / User API: threadDelayed 4452
          Source: C:\Users\user\Desktop\payment invoice.exeWindow / User API: threadDelayed 4827
          Source: C:\Users\user\Desktop\payment invoice.exeWindow / User API: foregroundWindowGot 453
          Source: C:\Users\user\Desktop\payment invoice.exeWindow / User API: foregroundWindowGot 428
          Source: C:\Users\user\Desktop\payment invoice.exe TID: 6692Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\payment invoice.exe TID: 6764Thread sleep time: -15679732462653109s >= -30000s
          Source: C:\Users\user\Desktop\payment invoice.exe TID: 7068Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\payment invoice.exe TID: 6888Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\payment invoice.exeThread delayed: delay time: 922337203685477
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: payment invoice.exe, 0000000B.00000002.650727872.0000000007120000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: payment invoice.exe, 0000000B.00000002.650727872.0000000007120000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: payment invoice.exe, 0000000B.00000002.650727872.0000000007120000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: payment invoice.exe, 0000000B.00000002.650727872.0000000007120000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\payment invoice.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\payment invoice.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\payment invoice.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\payment invoice.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\payment invoice.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\payment invoice.exeMemory written: C:\Users\user\Desktop\payment invoice.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp'
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD79F.tmp'
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmp70E1.tmp'
          Source: C:\Users\user\Desktop\payment invoice.exeProcess created: C:\Users\user\Desktop\payment invoice.exe {path}
          Source: payment invoice.exe, 0000000B.00000002.644797305.0000000002D27000.00000004.00000001.sdmpBinary or memory string: Program ManagerH
          Source: payment invoice.exe, 0000000B.00000002.646489484.0000000002FF9000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: payment invoice.exe, 0000000B.00000002.651044502.0000000007A8B000.00000004.00000001.sdmpBinary or memory string: Program Manager$
          Source: payment invoice.exe, 0000000B.00000002.650962100.000000000758B000.00000004.00000001.sdmpBinary or memory string: Program Manager`_
          Source: payment invoice.exe, 0000000B.00000002.642570304.0000000001440000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: payment invoice.exe, 0000000B.00000002.642570304.0000000001440000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: payment invoice.exe, 0000000B.00000002.650989172.000000000780C000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
          Source: payment invoice.exe, 0000000B.00000002.648996309.000000000613B000.00000004.00000001.sdmpBinary or memory string: Program Manager H
          Source: payment invoice.exe, 0000000B.00000002.642570304.0000000001440000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: payment invoice.exe, 0000000B.00000002.642570304.0000000001440000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: payment invoice.exe, 0000000B.00000002.649878408.0000000006C2A000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager (
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Users\user\Desktop\payment invoice.exe VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Users\user\Desktop\payment invoice.exe VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Users\user\Desktop\payment invoice.exe VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Users\user\Desktop\payment invoice.exe VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\payment invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\payment invoice.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORY
          Source: Yara matchFile source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: payment invoice.exe, 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: payment invoice.exeString found in binary or memory: NanoCore.ClientPluginHost
          Source: payment invoice.exe, 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: payment invoice.exe, 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Source: payment invoice.exe, 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: payment invoice.exe, 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: payment invoice.exe, 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6504, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6568, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 6660, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment invoice.exe PID: 976, type: MEMORY
          Source: Yara matchFile source: 11.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3ac95f8.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.3acdc21.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.payment invoice.exe.3b3ed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3aeb7d6.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.payment invoice.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5474629.18.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af060c.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.0.payment invoice.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.payment invoice.exe.44aed50.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.payment invoice.exe.5470000.17.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.payment invoice.exe.3af4c35.3.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Masquerading1Input Capture11Security Software Discovery221Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 431785 Sample: payment invoice.exe Startdate: 09/06/2021 Architecture: WINDOWS Score: 100 42 ifybest85fff.ddns.net 2->42 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 14 other signatures 2->54 9 payment invoice.exe 6 2->9         started        13 payment invoice.exe 4 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\...behaviorgraphotewYBrdNy.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\...\tmpC705.tmp, XML 9->38 dropped 40 C:\Users\user\...\payment invoice.exe.log, ASCII 9->40 dropped 56 Injects a PE file into a foreign processes 9->56 15 payment invoice.exe 12 9->15         started        20 schtasks.exe 1 9->20         started        22 schtasks.exe 1 13->22         started        24 payment invoice.exe 2 13->24         started        signatures6 process7 dnsIp8 44 ifybest85fff.ddns.net 194.5.98.23, 49741, 49748, 49749 DANILENKODE Netherlands 15->44 34 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 15->34 dropped 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->46 26 schtasks.exe 1 15->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        file9 signatures10 process11 process12 32 conhost.exe 26->32         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          payment invoice.exe45%VirustotalBrowse
          payment invoice.exe30%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          payment invoice.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\GotewYBrdNy.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\GotewYBrdNy.exe30%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          11.0.payment invoice.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          11.2.payment invoice.exe.3ac95f8.6.unpack100%AviraTR/NanoCore.fadteDownload File
          25.0.payment invoice.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          11.2.payment invoice.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          25.2.payment invoice.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          11.0.payment invoice.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          25.0.payment invoice.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          11.2.payment invoice.exe.5470000.17.unpack100%AviraTR/NanoCore.fadteDownload File

          Domains

          SourceDetectionScannerLabelLink
          ifybest85fff.ddns.net7%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.comic0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.fontbureau.comahY0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          ifybest85fff.ddns.net7%VirustotalBrowse
          ifybest85fff.ddns.net0%Avira URL Cloudsafe
          194.5.98.230%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ifybest85fff.ddns.net
          		194.5.98.23
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          ifybest85fff.ddns.nettrue
          • 7%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          194.5.98.23true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.compayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bThepayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comicpayment invoice.exe, 00000000.00000002.467752646.0000000001977000.00000004.00000040.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers?payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                    		high
                    http://www.tiro.compayment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designerspayment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comahYpayment invoice.exe, 00000000.00000002.467752646.0000000001977000.00000004.00000040.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comlpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.compayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cThepayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.compayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleasepayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8payment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fonts.compayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                              		high
                              http://www.sandoll.co.krpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleasepayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnpayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepayment invoice.exe, 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.568998476.0000000002A71000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sakkal.compayment invoice.exe, 00000000.00000002.478583331.0000000007512000.00000004.00000001.sdmp, payment invoice.exe, 00000010.00000002.574357145.0000000005A40000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                194.5.98.23
                                		ifybest85fff.ddns.netNetherlands
                                		208476DANILENKODEtrue

                                General Information

                                Joe Sandbox Version:32.0.0 Black Diamond
                                Analysis ID:431785
                                Start date:09.06.2021
                                Start time:10:15:49
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 11m 58s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:payment invoice.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:27
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@15/11@12/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 0.8% (good quality ratio 0.5%)
                                • Quality average: 44.6%
                                • Quality standard deviation: 37.2%
                                HCA Information:
                                • Successful, ratio: 94%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • TCP Packets have been reduced to 100
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 104.43.193.48, 204.79.197.200, 13.107.21.200, 52.147.198.201, 13.88.21.125, 20.82.210.154, 20.54.7.98, 20.54.26.129, 40.88.32.150, 20.50.102.62, 92.122.213.247, 92.122.213.194, 184.30.20.56
                                • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:17:51API Interceptor668x Sleep call for process: payment invoice.exe modified
                                10:17:52Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\payment invoice.exe" s>$(Arg0)

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                194.5.98.23Asif Professional CV.exeGet hashmaliciousBrowse
                                  Mwasiti Mnindy.exeGet hashmaliciousBrowse
                                    Mwasiti Mnindy.exeGet hashmaliciousBrowse
                                      INVs(2341).exeGet hashmaliciousBrowse
                                        Bank Payment Copy.exeGet hashmaliciousBrowse
                                          SWIFT COPY.exeGet hashmaliciousBrowse
                                            payment invoice.exeGet hashmaliciousBrowse
                                              Bank Payment Copy.exeGet hashmaliciousBrowse
                                                ORDER SHEET - SUMMER 2021.exeGet hashmaliciousBrowse
                                                  Specifications Drawing Sketch Details-img.exeGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    ifybest85fff.ddns.netAsif Professional CV.exeGet hashmaliciousBrowse
                                                    • 194.5.98.23

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    DANILENKODE#RFQ ORDER484475577797.exeGet hashmaliciousBrowse
                                                    • 194.5.98.120
                                                    b6yzWugw8V.exeGet hashmaliciousBrowse
                                                    • 194.5.98.107
                                                    0041#Receipt.pif.exeGet hashmaliciousBrowse
                                                    • 194.5.98.180
                                                    j07ghiByDq.exeGet hashmaliciousBrowse
                                                    • 194.5.97.146
                                                    j07ghiByDq.exeGet hashmaliciousBrowse
                                                    • 194.5.97.146
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • 194.5.97.18
                                                    SecuriteInfo.com.Trojan.PackedNET.820.24493.exeGet hashmaliciousBrowse
                                                    • 194.5.97.61
                                                    DHL_file.exeGet hashmaliciousBrowse
                                                    • 194.5.98.145
                                                    BBS FX.xlsxGet hashmaliciousBrowse
                                                    • 194.5.97.61
                                                    GpnPv433gb.exeGet hashmaliciousBrowse
                                                    • 194.5.98.11
                                                    Kj7tTd1Zimp0ciI.exeGet hashmaliciousBrowse
                                                    • 194.5.97.197
                                                    Resume.exeGet hashmaliciousBrowse
                                                    • 194.5.98.8
                                                    SecuriteInfo.com.Trojan.DownLoader39.38629.28832.exeGet hashmaliciousBrowse
                                                    • 194.5.98.145
                                                    SecuriteInfo.com.Variant.Razy.840898.18291.exeGet hashmaliciousBrowse
                                                    • 194.5.98.144
                                                    8LtwhjD2Qm.exeGet hashmaliciousBrowse
                                                    • 194.5.98.107
                                                    Receiptn.exeGet hashmaliciousBrowse
                                                    • 194.5.98.180
                                                    soa5.exeGet hashmaliciousBrowse
                                                    • 194.5.98.48
                                                    soa5.exeGet hashmaliciousBrowse
                                                    • 194.5.98.48
                                                    68Aj4oxPok.exeGet hashmaliciousBrowse
                                                    • 194.5.98.144
                                                    Ysur2E8xPs.exeGet hashmaliciousBrowse
                                                    • 194.5.97.61

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment invoice.exe.log
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Temp\tmp70E1.tmp
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1656
                                                    Entropy (8bit):5.1594656034148185
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3NkOtn:cbha7JlNQV/rydbz9I3YODOLNdq3wo
                                                    MD5:237C2B764584CA136806AD1FBE17F761
                                                    SHA1:FE783B97447CF226C6FAA7F5AE7D972C2268A279
                                                    SHA-256:9496A59C37BA72FC44EE6217E7D289A1D022BC8ECDE5197E5B5185D8051F79B3
                                                    SHA-512:422B5D17D498781201CC0ADC36C3E0267900308DB09FF25D6B89E427D3ABBB52DB97A4A640BB7D68AEDF2014391D3FA12E2644D558952DABB51C77C09A383BAA
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                    C:\Users\user\AppData\Local\Temp\tmpC705.tmp
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1656
                                                    Entropy (8bit):5.1594656034148185
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3NkOtn:cbha7JlNQV/rydbz9I3YODOLNdq3wo
                                                    MD5:237C2B764584CA136806AD1FBE17F761
                                                    SHA1:FE783B97447CF226C6FAA7F5AE7D972C2268A279
                                                    SHA-256:9496A59C37BA72FC44EE6217E7D289A1D022BC8ECDE5197E5B5185D8051F79B3
                                                    SHA-512:422B5D17D498781201CC0ADC36C3E0267900308DB09FF25D6B89E427D3ABBB52DB97A4A640BB7D68AEDF2014391D3FA12E2644D558952DABB51C77C09A383BAA
                                                    Malicious:true
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                    C:\Users\user\AppData\Local\Temp\tmpD79F.tmp
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1308
                                                    Entropy (8bit):5.082134358682254
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0V/nxtn:cbk4oL600QydbQxIYODOLedq38nj
                                                    MD5:2718925F05BD1061363FC1DB90858234
                                                    SHA1:0AB5DAFCED20DD659BF032004131A51397CD0886
                                                    SHA-256:606E95C64E26A82B23885ABD2C0A3619DB9BE593FBFFF8345FE47E09273CEB06
                                                    SHA-512:E95F45D6C3A24900856159ED3C59089766B1BC5E03AE226A272D725FB6D1FC69374074F5D4C94AB272A0C01CD121AA23FF096FF3CA281E14B3FA2D6BD290EE68
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):2088
                                                    Entropy (8bit):7.024371743172393
                                                    Encrypted:false
                                                    SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
                                                    MD5:0D6805D12813A857D50D42D6EE2CCAB0
                                                    SHA1:78D83F009D842F21FE2AB0EAFFD00E5AAD1776F4
                                                    SHA-256:182E0F8AA959549D61C66D049645BA8445D86AEAD2B8C3552A9836FA1E5BD484
                                                    SHA-512:5B29496F3AB3CCB915CF37042F4956BB00E577B5F15457A5A739BE1BD50C481FB7E3297EED575DCA7A7BD30ECBC140DD3666CD7DEDD25DFB7AEB41A1B5BEDA4A
                                                    Malicious:false
                                                    Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:Non-ISO extended-ASCII text, with no line terminators, with overstriking
                                                    Category:dropped
                                                    Size (bytes):8
                                                    Entropy (8bit):3.0
                                                    Encrypted:false
                                                    SSDEEP:3:MPh:MJ
                                                    MD5:D00FDE39F5DC7B4ABDA8A17EFE02ED47
                                                    SHA1:9314E390AED8DAF63A8F3507AA7F8D42959A4032
                                                    SHA-256:1A9FD6E8ECD5DB86FA9AAF2350A49592499D2C25CD0C770817FD87DB365E68B5
                                                    SHA-512:DEE193CCDEDA2CA8EABD12B8DEEB46FD5F261B7F46949FA34177E4EFF76CF5B133822B428AFDDBA296DEA1F4D37CB7AF20B09326F3FD138D5C821E9BAA85E71E
                                                    Malicious:true
                                                    Preview: 2...j+.H
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):24
                                                    Entropy (8bit):4.501629167387823
                                                    Encrypted:false
                                                    SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                                    MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                                    SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                                    SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                                    SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                                    Malicious:false
                                                    Preview: 9iH...}Z.4..f..J".C;"a
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):5.320159765557392
                                                    Encrypted:false
                                                    SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                                    MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                                    SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                                    SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                                    SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                                    Malicious:false
                                                    Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):327432
                                                    Entropy (8bit):7.99938831605763
                                                    Encrypted:true
                                                    SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                    MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                    SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                    SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                    SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                    Malicious:false
                                                    Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):45
                                                    Entropy (8bit):4.113206429278392
                                                    Encrypted:false
                                                    SSDEEP:3:oNN2+WVEcIqvdA:oNN2RucddA
                                                    MD5:4E8183AE084261C1AF222E0DCC1BE281
                                                    SHA1:8C8751A7FC261FDF903E0F1E47A7E9463855E12A
                                                    SHA-256:EAC634E1CBF5C9F39FA4450A987DC15936083172CF8937C6DB6870D45C103A67
                                                    SHA-512:76F424D13A6FC3CEB9A5ABFAE3F774C4D300D2E1321F6310E5DC363E0BF5C3BD8E4AEB086691DA393798993C026119C125F96435BBA86A71B88C67966CB717F0
                                                    Malicious:false
                                                    Preview: C:\Users\user\Desktop\payment invoice.exe
                                                    C:\Users\user\AppData\Roaming\GotewYBrdNy.exe
                                                    Process:C:\Users\user\Desktop\payment invoice.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1043456
                                                    Entropy (8bit):7.296264460943387
                                                    Encrypted:false
                                                    SSDEEP:12288:c1mk+vR1Hup6Z7Q/pDTXWILsbGRzcmtCN1/LFk6Hq0cpeTHKMgAbCZBvqpjExD07:Ox+vDOQZSz5UQRi
                                                    MD5:845D5DC8393BF7652F744E7FA7DFB3C3
                                                    SHA1:F83096A377039CFDBCFB930A98FD1B78691C4456
                                                    SHA-256:3AA4556BD929B55C5A51EA8CD76865FD4E27B880EC483AA8A94582071CDEF24D
                                                    SHA-512:E40303DC536090DA7B282A9A940765437C07ED3D497B0F81CDB92B9ABFC378D5EC54D96E946B69E368432B4FDE891A40681239056E3FC74FEA4568E4959D249C
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 30%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._!.`..............0.............n.... ... ....@.. .......................`............@.....................................S.... .......................@....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................P.......H........X..........c........s...........................................0..........*....0.."........r...p}......}.....(.......(.....*...0............{....(....r[..p(....:.... .0t. ....a%....^E............................M...a............... .......u.......8.....(...... /)..Z 1../a+....m...%.r]..p.%..{....(.....%.r...p.%..{....(.....%.r...p.%..{....(.....%.r...p.%..{....(.....%.r...p.%...{....(.....%..r...p.(.......(....... v`.UZ .^n.a8....r...p(....&.. aL..Z ..p.a8.....(....

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.296264460943387
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:payment invoice.exe
                                                    File size:1043456
                                                    MD5:845d5dc8393bf7652f744e7fa7dfb3c3
                                                    SHA1:f83096a377039cfdbcfb930a98fd1b78691c4456
                                                    SHA256:3aa4556bd929b55c5a51ea8cd76865fd4e27b880ec483aa8a94582071cdef24d
                                                    SHA512:e40303dc536090da7b282a9a940765437c07ed3d497b0f81cdb92b9abfc378d5ec54d96e946b69e368432b4fde891a40681239056e3fc74fea4568e4959d249c
                                                    SSDEEP:12288:c1mk+vR1Hup6Z7Q/pDTXWILsbGRzcmtCN1/LFk6Hq0cpeTHKMgAbCZBvqpjExD07:Ox+vDOQZSz5UQRi
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._!.`..............0.............n.... ... ....@.. .......................`............@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x50016e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x60C0215F [Wed Jun 9 02:03:11 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1001180x53.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1020000x5e0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1040000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xfe1740xfe200False0.613228410908data7.30117922021IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x1020000x5e00x600False0.430338541667data4.17543821636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1040000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x1020a00x354data
                                                    RT_MANIFEST0x1023f40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright 2019
                                                    Assembly Version1.0.0.0
                                                    InternalNameEUZihe.exe
                                                    FileVersion1.0.0.0
                                                    CompanyName
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameWindowsFormsApplication1
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionWindowsFormsApplication1
                                                    OriginalFilenameEUZihe.exe

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jun 9, 2021 10:17:53.281769037 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:53.441498995 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:53.443136930 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:53.501430035 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:53.739918947 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:53.740128040 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.095490932 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.099549055 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.255057096 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.302268982 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.552762032 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.552802086 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.553036928 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.593144894 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.739459991 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.739614964 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.739649057 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.739676952 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.739865065 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.739875078 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.739917040 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.740005016 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.913265944 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913299084 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913321018 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913502932 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913573980 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.913595915 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.913609028 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913697004 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913816929 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:54.913857937 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.913974047 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:54.914071083 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.091828108 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.091983080 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.092293024 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.099782944 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.099807978 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.099873066 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.101357937 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.101469994 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.101546049 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.101627111 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.101845980 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.101850033 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.101874113 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.102092028 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.102150917 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.102214098 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.102363110 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.102513075 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.102577925 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.109646082 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.109761953 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.109954119 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.251574993 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.251640081 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.251697063 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.253293037 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.253334999 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.253530025 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.265572071 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.265599966 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.265729904 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.265749931 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.265846968 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.266408920 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.266484022 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.276849031 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.276891947 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.276913881 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277017117 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277043104 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.277062893 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.277084112 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277235985 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.277282953 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277363062 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277443886 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.277515888 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277642965 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277739048 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277923107 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.277936935 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.277997017 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.278095961 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278254986 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278426886 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278465033 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278547049 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.278666973 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.278685093 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278820038 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.278990030 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.279033899 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.287061930 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.287103891 CEST760049741194.5.98.23192.168.2.6
                                                    Jun 9, 2021 10:17:55.287323952 CEST497417600192.168.2.6194.5.98.23
                                                    Jun 9, 2021 10:17:55.290555954 CEST760049741194.5.98.23192.168.2.6

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jun 9, 2021 10:16:43.424427032 CEST53637918.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:43.455324888 CEST53642678.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:44.901736021 CEST4944853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:16:44.946643114 CEST53494488.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:45.965004921 CEST6034253192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:16:46.007139921 CEST53603428.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:48.410188913 CEST6134653192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:16:48.452910900 CEST53613468.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:54.163933039 CEST5177453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:16:54.206262112 CEST53517748.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:16:59.855874062 CEST5602353192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:16:59.898199081 CEST53560238.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:02.294332981 CEST5838453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:02.337049961 CEST53583848.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:03.507908106 CEST6026153192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:03.552990913 CEST53602618.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:05.131751060 CEST5606153192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:05.174221039 CEST53560618.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:07.268014908 CEST5833653192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:07.310198069 CEST53583368.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:08.407583952 CEST5378153192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:08.452543974 CEST53537818.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:09.311162949 CEST5406453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:09.355267048 CEST53540648.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:10.783947945 CEST5281153192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:10.827783108 CEST53528118.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:12.296200037 CEST5529953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:12.338763952 CEST53552998.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:14.190140963 CEST6374553192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:14.232836962 CEST53637458.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:15.688725948 CEST5005553192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:15.731726885 CEST53500558.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:15.815660954 CEST6137453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:15.869218111 CEST53613748.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:16.699527025 CEST5033953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:16.742196083 CEST53503398.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:35.445327997 CEST6330753192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:35.559591055 CEST53633078.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:36.117239952 CEST4969453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:36.266861916 CEST53496948.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:36.282944918 CEST5498253192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:36.333930016 CEST53549828.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:36.846147060 CEST5001053192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:36.889211893 CEST53500108.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:37.452454090 CEST6371853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:37.725053072 CEST53637188.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:38.016887903 CEST6211653192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:38.059755087 CEST53621168.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:38.522145033 CEST6381653192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:38.564718008 CEST53638168.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:39.634669065 CEST5501453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:39.826172113 CEST53550148.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:41.453665018 CEST6220853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:41.732521057 CEST53622088.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:42.632949114 CEST5757453192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:42.676455021 CEST53575748.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:43.518721104 CEST5181853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:43.642427921 CEST53518188.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:44.111557961 CEST5662853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:44.154566050 CEST53566288.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:51.666461945 CEST6077853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:51.725141048 CEST53607788.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:53.225133896 CEST5379953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:53.269629002 CEST53537998.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:53.933953047 CEST5468353192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:53.991584063 CEST53546838.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:17:56.619098902 CEST5932953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:17:56.663336039 CEST53593298.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:00.217374086 CEST6402153192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:00.261193037 CEST53640218.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:07.291168928 CEST5612953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:07.336222887 CEST53561298.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:14.232737064 CEST5817753192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:14.277889967 CEST53581778.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:16.122040033 CEST5070053192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:16.167784929 CEST53507008.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:21.288279057 CEST5406953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:21.331211090 CEST53540698.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:27.958290100 CEST6117853192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:28.017019987 CEST53611788.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:28.492014885 CEST5701753192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:28.538165092 CEST53570178.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:30.202621937 CEST5632753192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:30.256763935 CEST53563278.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:35.611330986 CEST5024353192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:35.654213905 CEST53502438.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:43.429347038 CEST6205553192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:43.472330093 CEST53620558.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:50.458369017 CEST6124953192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:50.504792929 CEST53612498.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:18:57.546703100 CEST6525253192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:18:57.590898037 CEST53652528.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:19:04.653218031 CEST6436753192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:19:04.696090937 CEST53643678.8.8.8192.168.2.6
                                                    Jun 9, 2021 10:19:11.520154953 CEST5506653192.168.2.68.8.8.8
                                                    Jun 9, 2021 10:19:11.564773083 CEST53550668.8.8.8192.168.2.6

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Jun 9, 2021 10:17:53.225133896 CEST192.168.2.68.8.8.80x288eStandard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:00.217374086 CEST192.168.2.68.8.8.80xcc42Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:07.291168928 CEST192.168.2.68.8.8.80x7aeStandard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:14.232737064 CEST192.168.2.68.8.8.80x4293Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:21.288279057 CEST192.168.2.68.8.8.80x1198Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:28.492014885 CEST192.168.2.68.8.8.80x5b7eStandard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:35.611330986 CEST192.168.2.68.8.8.80x68f5Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:43.429347038 CEST192.168.2.68.8.8.80x5ad6Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:50.458369017 CEST192.168.2.68.8.8.80x33dbStandard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:57.546703100 CEST192.168.2.68.8.8.80xebf2Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:19:04.653218031 CEST192.168.2.68.8.8.80xb789Standard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:19:11.520154953 CEST192.168.2.68.8.8.80xc67eStandard query (0)ifybest85fff.ddns.netA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Jun 9, 2021 10:17:53.269629002 CEST8.8.8.8192.168.2.60x288eNo error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:00.261193037 CEST8.8.8.8192.168.2.60xcc42No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:07.336222887 CEST8.8.8.8192.168.2.60x7aeNo error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:14.277889967 CEST8.8.8.8192.168.2.60x4293No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:21.331211090 CEST8.8.8.8192.168.2.60x1198No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:28.538165092 CEST8.8.8.8192.168.2.60x5b7eNo error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:35.654213905 CEST8.8.8.8192.168.2.60x68f5No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:43.472330093 CEST8.8.8.8192.168.2.60x5ad6No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:50.504792929 CEST8.8.8.8192.168.2.60x33dbNo error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:18:57.590898037 CEST8.8.8.8192.168.2.60xebf2No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:19:04.696090937 CEST8.8.8.8192.168.2.60xb789No error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)
                                                    Jun 9, 2021 10:19:11.564773083 CEST8.8.8.8192.168.2.60xc67eNo error (0)ifybest85fff.ddns.net194.5.98.23A (IP address)IN (0x0001)

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: payment invoice.exe PID: 6660 Parent PID: 5984

                                                    General

                                                    Start time:10:17:04
                                                    Start date:09/06/2021
                                                    Path:C:\Users\user\Desktop\payment invoice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\payment invoice.exe'
                                                    Imagebase:0xec0000
                                                    File size:1043456 bytes
                                                    MD5 hash:845D5DC8393BF7652F744E7FA7DFB3C3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.471352277.00000000043E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.468007470.00000000033E1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.471722292.0000000004589000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 6332 Parent PID: 6660

                                                    General

                                                    Start time:10:17:47
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmpC705.tmp'
                                                    Imagebase:0xed0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 6320 Parent PID: 6332

                                                    General

                                                    Start time:10:17:47
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff61de10000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: payment invoice.exe PID: 6568 Parent PID: 6660

                                                    General

                                                    Start time:10:17:48
                                                    Start date:09/06/2021
                                                    Path:C:\Users\user\Desktop\payment invoice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0x5c0000
                                                    File size:1043456 bytes
                                                    MD5 hash:845D5DC8393BF7652F744E7FA7DFB3C3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.464661919.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.646691613.0000000003AB7000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.643057638.0000000002A61000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.648627188.0000000005470000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.649963116.0000000006C40000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.649963116.0000000006C40000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650509970.0000000006FA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650188515.0000000006F20000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650188515.0000000006F20000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.643361981.0000000002ACC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.640367723.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650157575.0000000006F10000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650157575.0000000006F10000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.648469077.0000000005280000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.648469077.0000000005280000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.646977313.0000000003C89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650009265.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650009265.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650292848.0000000006F50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650292848.0000000006F50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650225160.0000000006F30000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650225160.0000000006F30000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650482817.0000000006F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650482817.0000000006F90000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650261294.0000000006F40000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650261294.0000000006F40000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650601624.0000000006FE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000000.464294989.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650324913.0000000006F60000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650324913.0000000006F60000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.647259512.0000000003E25000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.650370900.0000000006F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.650370900.0000000006F70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 408 Parent PID: 6568

                                                    General

                                                    Start time:10:17:50
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD79F.tmp'
                                                    Imagebase:0xed0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 4648 Parent PID: 408

                                                    General

                                                    Start time:10:17:51
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff61de10000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: payment invoice.exe PID: 976 Parent PID: 936

                                                    General

                                                    Start time:10:17:52
                                                    Start date:09/06/2021
                                                    Path:C:\Users\user\Desktop\payment invoice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\payment invoice.exe' 0
                                                    Imagebase:0x5e0000
                                                    File size:1043456 bytes
                                                    MD5 hash:845D5DC8393BF7652F744E7FA7DFB3C3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.572013366.0000000003A79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.572296320.0000000003C19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Analysis Process: schtasks.exe PID: 1688 Parent PID: 976

                                                    General

                                                    Start time:10:18:30
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GotewYBrdNy' /XML 'C:\Users\user\AppData\Local\Temp\tmp70E1.tmp'
                                                    Imagebase:0xed0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 6236 Parent PID: 1688

                                                    General

                                                    Start time:10:18:32
                                                    Start date:09/06/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff61de10000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: payment invoice.exe PID: 6504 Parent PID: 976

                                                    General

                                                    Start time:10:18:35
                                                    Start date:09/06/2021
                                                    Path:C:\Users\user\Desktop\payment invoice.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0x5e0000
                                                    File size:1043456 bytes
                                                    MD5 hash:845D5DC8393BF7652F744E7FA7DFB3C3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.583033068.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000019.00000000.565709564.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000019.00000000.565209110.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.585683848.0000000003AA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.585357177.0000000002AA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >