Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report POInvoiceOrderIuVvcl0VWEOAmXy.exe

Overview

General Information

Sample Name:POInvoiceOrderIuVvcl0VWEOAmXy.exe
Analysis ID:431795
MD5:fb1eb909e34c22f21310565cf4b71563
SHA1:f301810874ac9b59aef7c5ca3d8377e35e4906ba
SHA256:acfd6ceddcb0f24e6a170eb64cfbbb1af4876bcda5fb572c36330b1f6208a84e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • POInvoiceOrderIuVvcl0VWEOAmXy.exe (PID: 6140 cmdline: 'C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe' MD5: FB1EB909E34C22F21310565CF4B71563)
    • schtasks.exe (PID: 5904 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KbWjJvsRSE' /XML 'C:\Users\user\AppData\Local\Temp\tmp220B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1fb9e357-3073-471b-ab6f-630ca123", "Group": "kmt", "Domain1": "kkmmtt.duckdns.org", "Domain2": "kmttk.hopto.org", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 20 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5730000.8.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5730000.8.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 46 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe, ProcessId: 1084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe, ProcessId: 1084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe, ProcessId: 1084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe, ProcessId: 1084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1fb9e357-3073-471b-ab6f-630ca123", "Group": "kmt", "Domain1": "kkmmtt.duckdns.org", "Domain2": "kmttk.hopto.org", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: kmttk.hopto.orgVirustotal: Detection: 6%Perma Link
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORY
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c64629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPE
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpackAvira: Label: TR/NanoCore.fadte
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\ntNlgumrQW\src\obj\x86\Debug\DictionaryValueCollection.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: Binary string: mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000003.415457537.00000000014C3000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.240015874.00000000081C0000.00000002.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471848695.00000000056C0000.00000002.00000001.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49715 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49717 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49764 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49765 -> 194.5.98.87:6060
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: kmttk.hopto.org
      Source: Malware configuration extractorURLs: kkmmtt.duckdns.org
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: kkmmtt.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.3:49715 -> 194.5.98.87:6060
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: unknownDNS traffic detected: queries for: kkmmtt.duckdns.org
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.205717116.000000000533D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersT
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.237751926.0000000005330000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.237751926.0000000005330000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionoO
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.237751926.0000000005330000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198676184.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn4
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198649241.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comt
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.200422874.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/MI
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.200705399.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/r
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.200403684.000000000536D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-p
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0e
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com5
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn-u
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.199811798.0000000005339000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.199811798.0000000005339000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krnta
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198915643.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORY
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c64629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5730000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c50000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f162c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c64629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f64a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f162c.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_04EF16E2 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_04EF16B1 NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E85A0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050EF228
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E8280
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E0AA0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E93BF
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E93D0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E9608
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E9618
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E8271
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E0A93
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F0070
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F289A
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FBCB8
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FC0B0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FB968
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F0A58
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F1228
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FC6E0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F1B48
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F9340
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F0006
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FA038
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4CD0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4CE0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F48F8
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4150
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4160
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F850F
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4908
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F8590
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F1218
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F9A28
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F36C8
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F56D9
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F8AF0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F36B9
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F8B48
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F1B42
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4B40
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FA768
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F5778
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4718
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4728
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4B30
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F97C8
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: KbWjJvsRSE.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.240684237.0000000008220000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.240015874.00000000081C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.236656130.00000000040E4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.233192925.00000000008F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDictionaryValueCollection.exe. vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.241506811.0000000008700000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.241595592.00000000087F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.241595592.00000000087F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471750476.0000000005620000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472842498.0000000006650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000000.230828833.0000000000D28000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDictionaryValueCollection.exe. vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471848695.00000000056C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeBinary or memory string: OriginalFilenameDictionaryValueCollection.exe. vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5730000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5730000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c50000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c50000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f162c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f162c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c64629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c64629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f64a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f64a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f162c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f162c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: KbWjJvsRSE.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/6@18/1
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_04EF1566 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_04EF152F AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile created: C:\Users\user\AppData\Roaming\KbWjJvsRSE.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1832:120:WilError_01
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeMutant created: \Sessions\1\BaseNamedObjects\hYTpOlddLWwmJR
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1fb9e357-3073-471b-ab6f-630ca1239b07}
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile created: C:\Users\user\AppData\Local\Temp\tmp220B.tmpJump to behavior
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeString found in binary or memory: -start_number {0} -i "{1}{2}"
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeString found in binary or memory: <!--StartFragment -->
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeString found in binary or memory: <<<<<<<3+<!--StartFragment -->
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeString found in binary or memory: %0{0}d;-start_number {0} -i "{1}{2}"
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile read: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe 'C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe'
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KbWjJvsRSE' /XML 'C:\Users\user\AppData\Local\Temp\tmp220B.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess created: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KbWjJvsRSE' /XML 'C:\Users\user\AppData\Local\Temp\tmp220B.tmp'
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess created: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\ntNlgumrQW\src\obj\x86\Debug\DictionaryValueCollection.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: Binary string: mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000003.415457537.00000000014C3000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.240015874.00000000081C0000.00000002.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471848695.00000000056C0000.00000002.00000001.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_008367DA push es; iretd
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_0083687A push es; iretd
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050EE882 push edx; ret
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050EDCB2 push cs; retf
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F842C push esp; iretd
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F63C1 push cs; ret
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F63AC push edi; iretd
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F63B6 push edi; iretd
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 4_3_04406060 push ss; retf
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 4_3_043FC678 push ds; iretd
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 4_3_043F8C81 push eax; retf
      Source: initial sampleStatic PE information: section name: .text entropy: 7.64208263099
      Source: initial sampleStatic PE information: section name: .text entropy: 7.64208263099
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile created: C:\Users\user\AppData\Roaming\KbWjJvsRSE.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KbWjJvsRSE' /XML 'C:\Users\user\AppData\Local\Temp\tmp220B.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
      Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (35).png
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile opened: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 6140, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeWindow / User API: threadDelayed 353
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeWindow / User API: foregroundWindowGot 949
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe TID: 1156Thread sleep time: -102819s >= -30000s
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe TID: 5876Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe TID: 2796Thread sleep time: -1844674407370954s >= -30000s
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe TID: 5884Thread sleep time: -300000s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeThread delayed: delay time: 102819
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeThread delayed: delay time: 922337203685477
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472842498.0000000006650000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472842498.0000000006650000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472842498.0000000006650000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000003.243360252.00000000014C3000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472842498.0000000006650000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeMemory written: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KbWjJvsRSE' /XML 'C:\Users\user\AppData\Local\Temp\tmp220B.tmp'
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeProcess created: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000003.243360252.00000000014C3000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466591333.0000000001A90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466591333.0000000001A90000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.469412166.000000000339E000.00000004.00000001.sdmpBinary or memory string: Program Managerp
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466591333.0000000001A90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_0100B51E GetUserNameW,
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORY
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c64629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORY
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c64629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery12SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery111Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack100%AviraTR/NanoCore.fadteDownload File
      4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      kkmmtt.duckdns.org1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.sajatypeworks.com50%Avira URL Cloudsafe
      kmttk.hopto.org7%VirustotalBrowse
      kmttk.hopto.org0%Avira URL Cloudsafe
      http://www.sajatypeworks.comn-u0%Avira URL Cloudsafe
      kkmmtt.duckdns.org0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y0e0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.fonts.comt0%Avira URL Cloudsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.founder.com.cn/cnl-p0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/r0%Avira URL Cloudsafe
      http://www.fontbureau.comionoO0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/O0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/O0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/O0%URL Reputationsafe
      http://www.fontbureau.comion0%URL Reputationsafe
      http://www.fontbureau.comion0%URL Reputationsafe
      http://www.fontbureau.comion0%URL Reputationsafe
      http://www.fonts.comn40%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/=0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
      http://www.fontbureau.comm0%URL Reputationsafe
      http://www.fontbureau.comm0%URL Reputationsafe
      http://www.fontbureau.comm0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
      http://www.sandoll.co.krnta0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/MI0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      kkmmtt.duckdns.org
      		194.5.98.87
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      kmttk.hopto.orgtrue
      • 7%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      kkmmtt.duckdns.orgtrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.fontbureau.com/designersGPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bThePOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.sajatypeworks.com5POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fontbureau.com/designers?POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
            		high
            http://www.sajatypeworks.comn-uPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tiro.comPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198915643.000000000534B000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
              		high
              http://www.goodfont.co.krPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersTPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.205717116.000000000533D000.00000004.00000001.sdmpfalse
                  		high
                  http://www.sajatypeworks.comPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.typography.netDPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn/cThePOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htmPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://fontfabrik.comPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/Y0ePOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/2POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/DPleasePOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fonts.comPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmpfalse
                    		high
                    http://www.sandoll.co.krPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.199811798.0000000005339000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comtPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198649241.000000000534B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.urwpp.deDPleasePOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.comPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnl-pPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.200403684.000000000536D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cn/rPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.200705399.0000000005334000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comionoOPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.237751926.0000000005330000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/VPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/OPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comionPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.237751926.0000000005330000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.comn4POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198676184.000000000534B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/=POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/zPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/sPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.commPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.237751926.0000000005330000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/iPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpfalse
                              		high
                              http://www.sandoll.co.krntaPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.199811798.0000000005339000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/MIPOInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.200422874.0000000005334000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              194.5.98.87
                              		kkmmtt.duckdns.orgNetherlands
                              		208476DANILENKODEtrue

                              General Information

                              Joe Sandbox Version:32.0.0 Black Diamond
                              Analysis ID:431795
                              Start date:09.06.2021
                              Start time:10:35:15
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 8m 23s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:POInvoiceOrderIuVvcl0VWEOAmXy.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:26
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@6/6@18/1
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 0.5% (good quality ratio 0.2%)
                              • Quality average: 30.6%
                              • Quality standard deviation: 37.8%
                              HCA Information:
                              • Successful, ratio: 82%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                              • TCP Packets have been reduced to 100
                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.193.48, 52.255.188.83, 13.64.90.137, 104.43.139.144, 20.50.102.62, 40.88.32.150, 104.42.151.234, 184.30.24.56, 20.54.26.129, 205.185.216.10, 205.185.216.42, 20.82.210.154, 92.122.213.247, 92.122.213.194, 40.126.31.138, 40.126.31.142, 40.126.31.140, 40.126.31.5, 40.126.31.3, 20.190.159.131, 40.126.31.7, 20.190.159.137, 131.253.33.200, 13.107.22.200
                              • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              10:36:08API Interceptor946x Sleep call for process: POInvoiceOrderIuVvcl0VWEOAmXy.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              194.5.98.87Invoice_orderYscFwfO1peuGl0w.exeGet hashmaliciousBrowse

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                DANILENKODEpayment invoice.exeGet hashmaliciousBrowse
                                • 194.5.98.23
                                #RFQ ORDER484475577797.exeGet hashmaliciousBrowse
                                • 194.5.98.120
                                b6yzWugw8V.exeGet hashmaliciousBrowse
                                • 194.5.98.107
                                0041#Receipt.pif.exeGet hashmaliciousBrowse
                                • 194.5.98.180
                                j07ghiByDq.exeGet hashmaliciousBrowse
                                • 194.5.97.146
                                j07ghiByDq.exeGet hashmaliciousBrowse
                                • 194.5.97.146
                                PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                • 194.5.97.18
                                SecuriteInfo.com.Trojan.PackedNET.820.24493.exeGet hashmaliciousBrowse
                                • 194.5.97.61
                                DHL_file.exeGet hashmaliciousBrowse
                                • 194.5.98.145
                                BBS FX.xlsxGet hashmaliciousBrowse
                                • 194.5.97.61
                                GpnPv433gb.exeGet hashmaliciousBrowse
                                • 194.5.98.11
                                Kj7tTd1Zimp0ciI.exeGet hashmaliciousBrowse
                                • 194.5.97.197
                                Resume.exeGet hashmaliciousBrowse
                                • 194.5.98.8
                                SecuriteInfo.com.Trojan.DownLoader39.38629.28832.exeGet hashmaliciousBrowse
                                • 194.5.98.145
                                SecuriteInfo.com.Variant.Razy.840898.18291.exeGet hashmaliciousBrowse
                                • 194.5.98.144
                                8LtwhjD2Qm.exeGet hashmaliciousBrowse
                                • 194.5.98.107
                                Receiptn.exeGet hashmaliciousBrowse
                                • 194.5.98.180
                                soa5.exeGet hashmaliciousBrowse
                                • 194.5.98.48
                                soa5.exeGet hashmaliciousBrowse
                                • 194.5.98.48
                                68Aj4oxPok.exeGet hashmaliciousBrowse
                                • 194.5.98.144

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\POInvoiceOrderIuVvcl0VWEOAmXy.exe.log
                                Process:C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):664
                                Entropy (8bit):5.288448637977022
                                Encrypted:false
                                SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                                C:\Users\user\AppData\Local\Temp\tmp220B.tmp
                                Process:C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1643
                                Entropy (8bit):5.195851646316711
                                Encrypted:false
                                SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBn0tn:cbh47TlNQ//rydbz9I3YODOLNdq3Fy
                                MD5:6BD2FC1377B3D6119F378DD2802ED9AB
                                SHA1:E45F4CE47ED5253087DC3C91EDCDF6148BEF6624
                                SHA-256:A055D15B0C016003FEEF850630AE264447E960B36E5AF3AF59795C31C9F0A688
                                SHA-512:225AD55642A9D82BF502E08C424579F2F187639B69BDCFC34E16146B747166D83BBC6F2177502877962472BB0C1EC00B5AAFA6FE6954F961989B09EDB512B0FD
                                Malicious:true
                                Reputation:low
                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                Process:C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2728
                                Entropy (8bit):7.094528505897445
                                Encrypted:false
                                SSDEEP:48:Ik/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH87:ft3Ucrt3Ucrt3Ucrt3Ucrt3Ucrt3UcrN
                                MD5:3F16EC9869DEDFFEC07792CA71B87AB5
                                SHA1:124F3AAEB04E11DEA7361736CE472750D237D3D2
                                SHA-256:1A187F3EF38284FF4EE2B20D6021C884E42FC72284F2DA858D7E389CE9C7D0E9
                                SHA-512:8DDE0277C2F8CF1CEF64B1EDF120C4A239619FBE9513C833C94B9A429984ECB8AD2A346FD9E333270207951021CCB0CA08FFCDF2ADE538AAFC2B5FAAA1ADF0A2
                                Malicious:false
                                Reputation:low
                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                Process:C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8
                                Entropy (8bit):3.0
                                Encrypted:false
                                SSDEEP:3:mctn:mcn
                                MD5:D6F53F9D52EE3C43FAAB54C8BBDCDB9B
                                SHA1:FC2E188E00AFF335ABF17FB3319433CEE7CBC77A
                                SHA-256:93FB74B9C257EF909456FB14BDE732BE75C99B21F66C6CD31BD5AE51614F8B4E
                                SHA-512:FB68328E003834C01595D46C036CF042F387662B6164942A8ABD5EEAA5797AB0D9C0E2AE5BDFA9E9C7B66C5186748EC728FEABB7C196E57F2EFD216FD3D2A504
                                Malicious:true
                                Reputation:low
                                Preview: .@..m+.H
                                C:\Users\user\AppData\Roaming\KbWjJvsRSE.exe
                                Process:C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):919552
                                Entropy (8bit):7.392987782971905
                                Encrypted:false
                                SSDEEP:24576:SRjfsacU2VITgLiflegZKnWV0trUGrO2:QmITtZgWurnZ
                                MD5:FB1EB909E34C22F21310565CF4B71563
                                SHA1:F301810874AC9B59AEF7C5CA3D8377E35E4906BA
                                SHA-256:ACFD6CEDDCB0F24E6A170EB64CFBBB1AF4876BCDA5FB572C36330B1F6208A84E
                                SHA-512:E4D3C5A58D21FCC3E7A3D3AEC066C0A7B9CCC83B3328813D9E13F16085B1BF5A5E7FA90D1145D5EE7D15D045F9FA66169C4448B79D761EC2B9A1C8C75E768073
                                Malicious:false
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~`.`..............P..P...........o... ........@.. .......................`............@..................................n..O...........................@.......m............................................... ............... ..H............text....O... ...P.................. ..`.rsrc...............R..............@..@.reloc.......@......................@..B.................n......H...........T:...........................................................0............(....(..........(.....o ....*.....................(!......("......(#......($......(%....*N..(....oS...(&....*&..('....*.s(........s)........s*........s+........s,........*....0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*..(2...*6..o3...(4...*&...o5...*.0..............,...+...(6...s7.....*&..(2....*.
                                C:\Users\user\AppData\Roaming\KbWjJvsRSE.exe:Zone.Identifier
                                Process:C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview: [ZoneTransfer]....ZoneId=0

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.392987782971905
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:POInvoiceOrderIuVvcl0VWEOAmXy.exe
                                File size:919552
                                MD5:fb1eb909e34c22f21310565cf4b71563
                                SHA1:f301810874ac9b59aef7c5ca3d8377e35e4906ba
                                SHA256:acfd6ceddcb0f24e6a170eb64cfbbb1af4876bcda5fb572c36330b1f6208a84e
                                SHA512:e4d3c5a58d21fcc3e7a3d3aec066c0a7b9ccc83b3328813d9e13f16085b1bf5a5e7fa90d1145d5ee7d15d045f9fa66169c4448b79d761ec2b9a1c8c75e768073
                                SSDEEP:24576:SRjfsacU2VITgLiflegZKnWV0trUGrO2:QmITtZgWurnZ
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~`.`..............P..P...........o... ........@.. .......................`............@................................

                                File Icon

                                Icon Hash:e4ccccc4d6c6ced0

                                Static PE Info

                                General

                                Entrypoint:0x4c6f12
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x60C0607E [Wed Jun 9 06:32:30 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v2.0.50727
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc6ec00x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x1b3d4.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0xc6d880x1c.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xc4f180xc5000False0.824205117782data7.64208263099IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0xc80000x1b3d40x1b400False0.163507024083data3.50216689317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xe40000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0xc82500x2682PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                RT_ICON0xca8d40x10828dBase III DBT, version number 0, next free block index 40
                                RT_ICON0xdb0fc0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                RT_ICON0xdf3240x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                RT_ICON0xe18cc0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 2583634198, next used block 268378390
                                RT_ICON0xe29740x468GLS_BINARY_LSB_FIRST
                                RT_GROUP_ICON0xe2ddc0x5adata
                                RT_GROUP_ICON0xe2e380x3edata
                                RT_VERSION0xe2e780x370data
                                RT_MANIFEST0xe31e80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightCopyright Kanal 2 2012
                                Assembly Version2.0.0.0
                                InternalNameDictionaryValueCollection.exe
                                FileVersion2.0.0.0
                                CompanyNameKanal 2
                                LegalTrademarks
                                Comments
                                ProductNameeg2012
                                ProductVersion2.0.0.0
                                FileDescriptioneg2012
                                OriginalFilenameDictionaryValueCollection.exe

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                06/09/21-10:36:21.025415TCP2025019ET TROJAN Possible NanoCore C2 60B497156060192.168.2.3194.5.98.87
                                06/09/21-10:36:27.238432TCP2025019ET TROJAN Possible NanoCore C2 60B497176060192.168.2.3194.5.98.87
                                06/09/21-10:36:33.643583TCP2025019ET TROJAN Possible NanoCore C2 60B497276060192.168.2.3194.5.98.87
                                06/09/21-10:36:39.965819TCP2025019ET TROJAN Possible NanoCore C2 60B497336060192.168.2.3194.5.98.87
                                06/09/21-10:36:47.045107TCP2025019ET TROJAN Possible NanoCore C2 60B497366060192.168.2.3194.5.98.87
                                06/09/21-10:36:53.291694TCP2025019ET TROJAN Possible NanoCore C2 60B497426060192.168.2.3194.5.98.87
                                06/09/21-10:36:59.519297TCP2025019ET TROJAN Possible NanoCore C2 60B497436060192.168.2.3194.5.98.87
                                06/09/21-10:37:05.825337TCP2025019ET TROJAN Possible NanoCore C2 60B497476060192.168.2.3194.5.98.87
                                06/09/21-10:37:12.192676TCP2025019ET TROJAN Possible NanoCore C2 60B497526060192.168.2.3194.5.98.87
                                06/09/21-10:37:19.250964TCP2025019ET TROJAN Possible NanoCore C2 60B497536060192.168.2.3194.5.98.87
                                06/09/21-10:37:30.459866TCP2025019ET TROJAN Possible NanoCore C2 60B497556060192.168.2.3194.5.98.87
                                06/09/21-10:37:36.867895TCP2025019ET TROJAN Possible NanoCore C2 60B497566060192.168.2.3194.5.98.87
                                06/09/21-10:37:43.200507TCP2025019ET TROJAN Possible NanoCore C2 60B497616060192.168.2.3194.5.98.87
                                06/09/21-10:37:49.441608TCP2025019ET TROJAN Possible NanoCore C2 60B497626060192.168.2.3194.5.98.87
                                06/09/21-10:37:55.708033TCP2025019ET TROJAN Possible NanoCore C2 60B497636060192.168.2.3194.5.98.87
                                06/09/21-10:38:01.940654TCP2025019ET TROJAN Possible NanoCore C2 60B497646060192.168.2.3194.5.98.87
                                06/09/21-10:38:07.998819TCP2025019ET TROJAN Possible NanoCore C2 60B497656060192.168.2.3194.5.98.87

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jun 9, 2021 10:36:20.278894901 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:20.497256994 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:20.497406006 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:21.025414944 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:21.307878971 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:21.308171034 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:21.515808105 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:21.515995026 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:21.578834057 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:21.785729885 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:21.785798073 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.006258965 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.006345987 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.288290024 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.288491011 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.568294048 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.568470001 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.610862970 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.610958099 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.611314058 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.611386061 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.611453056 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.611474037 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.611524105 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.611546040 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.702630997 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.834319115 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.834400892 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.852669954 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.852750063 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.852941990 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.852986097 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.861932039 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.862026930 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.862586975 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.862639904 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.862936974 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.863399029 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.863615036 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.863683939 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.863935947 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.863982916 CEST606049715194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:22.863991022 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:22.864020109 CEST497156060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:27.019439936 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:27.237756014 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:27.237894058 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:27.238431931 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:27.508985996 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:27.509912014 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:27.610074997 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:27.610152006 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:27.789401054 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:27.789505959 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:27.889475107 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:27.889585972 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.022054911 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.022186041 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.169262886 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.169471979 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.284943104 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.285156965 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.439126968 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.439287901 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.473059893 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.473227024 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.473345995 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.473396063 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.473479033 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.473521948 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.473612070 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.473664999 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.555447102 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.555515051 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.707134008 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.707173109 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.707190990 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.707207918 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.707328081 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.707380056 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.707458019 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.707516909 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.716397047 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.716522932 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.716551065 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.716588020 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.716618061 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.716677904 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.820178032 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.820348024 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.940015078 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.940057039 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.940102100 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.940154076 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.940205097 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.941556931 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.941610098 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.942374945 CEST606049717194.5.98.87192.168.2.3
                                Jun 9, 2021 10:36:28.942442894 CEST497176060192.168.2.3194.5.98.87
                                Jun 9, 2021 10:36:28.942563057 CEST606049717194.5.98.87192.168.2.3

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jun 9, 2021 10:36:02.655715942 CEST5598453192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:02.698004961 CEST53559848.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:03.640913963 CEST6418553192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:03.683454990 CEST53641858.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:05.146358967 CEST6511053192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:05.190650940 CEST53651108.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:06.131125927 CEST5836153192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:06.173707962 CEST53583618.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:12.328316927 CEST6349253192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:12.372397900 CEST53634928.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:13.740787983 CEST6083153192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:13.783344030 CEST53608318.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:15.739696980 CEST6010053192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:15.782198906 CEST53601008.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:20.047811985 CEST5319553192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:20.264655113 CEST53531958.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:26.807152987 CEST5014153192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:27.016743898 CEST53501418.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:27.054666996 CEST5302353192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:27.097677946 CEST53530238.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:28.530730009 CEST4956353192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:28.576335907 CEST53495638.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:29.834455013 CEST5135253192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:29.877003908 CEST53513528.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:31.234874964 CEST5934953192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:31.277954102 CEST53593498.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:32.169289112 CEST5708453192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:32.211476088 CEST53570848.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:32.655452013 CEST5882353192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:32.700154066 CEST53588238.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:33.197031021 CEST5756853192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:33.408946037 CEST53575688.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:33.591783047 CEST5054053192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:33.634377003 CEST53505408.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:34.537992954 CEST5436653192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:34.580698013 CEST53543668.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:35.894808054 CEST5303453192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:35.937314987 CEST53530348.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:37.218290091 CEST5776253192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:37.261087894 CEST53577628.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:39.484498024 CEST5543553192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:39.529063940 CEST53554358.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:39.532572031 CEST5071353192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:39.741951942 CEST53507138.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:42.846616983 CEST5613253192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:42.889030933 CEST53561328.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:44.394973040 CEST5898753192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:44.437268019 CEST53589878.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:46.335578918 CEST5657953192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:46.378822088 CEST53565798.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:48.167681932 CEST6063353192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:48.191525936 CEST6129253192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:48.218827009 CEST53606338.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:48.235430956 CEST53612928.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:50.734936953 CEST6361953192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:50.777770042 CEST53636198.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:50.890386105 CEST6493853192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:50.933078051 CEST53649388.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:52.063003063 CEST6194653192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:52.105932951 CEST53619468.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:52.856112957 CEST6491053192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:53.070564985 CEST53649108.8.8.8192.168.2.3
                                Jun 9, 2021 10:36:59.254034042 CEST5212353192.168.2.38.8.8.8
                                Jun 9, 2021 10:36:59.297163963 CEST53521238.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:04.701843977 CEST5613053192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:04.745234013 CEST53561308.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:05.541382074 CEST5633853192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:05.584774017 CEST53563388.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:08.324937105 CEST5942053192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:08.369405985 CEST53594208.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:11.751173019 CEST5878453192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:11.966873884 CEST53587848.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:18.215631962 CEST6397853192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:18.426738977 CEST53639788.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:25.377041101 CEST6293853192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:25.420192003 CEST53629388.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:30.022260904 CEST5570853192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:30.233668089 CEST53557088.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:36.421251059 CEST5680353192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:36.634321928 CEST53568038.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:39.821501970 CEST5714553192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:39.865470886 CEST53571458.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:40.565571070 CEST5535953192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:40.616491079 CEST53553598.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:40.689285040 CEST5830653192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:40.741725922 CEST53583068.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:42.055051088 CEST6412453192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:42.105699062 CEST53641248.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:42.762809992 CEST4936153192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:42.976070881 CEST53493618.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:49.167521000 CEST6315053192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:49.210297108 CEST53631508.8.8.8192.168.2.3
                                Jun 9, 2021 10:37:55.253063917 CEST5327953192.168.2.38.8.8.8
                                Jun 9, 2021 10:37:55.461719990 CEST53532798.8.8.8192.168.2.3
                                Jun 9, 2021 10:38:01.676273108 CEST5688153192.168.2.38.8.8.8
                                Jun 9, 2021 10:38:01.719487906 CEST53568818.8.8.8192.168.2.3
                                Jun 9, 2021 10:38:07.727155924 CEST5364253192.168.2.38.8.8.8
                                Jun 9, 2021 10:38:07.770628929 CEST53536428.8.8.8192.168.2.3

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Jun 9, 2021 10:36:20.047811985 CEST192.168.2.38.8.8.80xb33eStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:26.807152987 CEST192.168.2.38.8.8.80x146dStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:33.197031021 CEST192.168.2.38.8.8.80x5156Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:39.532572031 CEST192.168.2.38.8.8.80x6289Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:46.335578918 CEST192.168.2.38.8.8.80x64b2Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:52.856112957 CEST192.168.2.38.8.8.80xcdf1Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:59.254034042 CEST192.168.2.38.8.8.80xb180Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:05.541382074 CEST192.168.2.38.8.8.80x944fStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:11.751173019 CEST192.168.2.38.8.8.80xdf89Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:18.215631962 CEST192.168.2.38.8.8.80xdc0fStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:25.377041101 CEST192.168.2.38.8.8.80xdd4Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:30.022260904 CEST192.168.2.38.8.8.80x35f2Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:36.421251059 CEST192.168.2.38.8.8.80x97c0Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:42.762809992 CEST192.168.2.38.8.8.80x231cStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:49.167521000 CEST192.168.2.38.8.8.80x8da4Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:55.253063917 CEST192.168.2.38.8.8.80x182fStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:38:01.676273108 CEST192.168.2.38.8.8.80x48bcStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                Jun 9, 2021 10:38:07.727155924 CEST192.168.2.38.8.8.80x458Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Jun 9, 2021 10:36:20.264655113 CEST8.8.8.8192.168.2.30xb33eNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:27.016743898 CEST8.8.8.8192.168.2.30x146dNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:33.408946037 CEST8.8.8.8192.168.2.30x5156No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:39.741951942 CEST8.8.8.8192.168.2.30x6289No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:46.378822088 CEST8.8.8.8192.168.2.30x64b2No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:53.070564985 CEST8.8.8.8192.168.2.30xcdf1No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:36:59.297163963 CEST8.8.8.8192.168.2.30xb180No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:05.584774017 CEST8.8.8.8192.168.2.30x944fNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:11.966873884 CEST8.8.8.8192.168.2.30xdf89No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:18.426738977 CEST8.8.8.8192.168.2.30xdc0fNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:25.420192003 CEST8.8.8.8192.168.2.30xdd4No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:30.233668089 CEST8.8.8.8192.168.2.30x35f2No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:36.634321928 CEST8.8.8.8192.168.2.30x97c0No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:39.865470886 CEST8.8.8.8192.168.2.30x99ffNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                Jun 9, 2021 10:37:42.976070881 CEST8.8.8.8192.168.2.30x231cNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:49.210297108 CEST8.8.8.8192.168.2.30x8da4No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:37:55.461719990 CEST8.8.8.8192.168.2.30x182fNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:38:01.719487906 CEST8.8.8.8192.168.2.30x48bcNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                Jun 9, 2021 10:38:07.770628929 CEST8.8.8.8192.168.2.30x458No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)

                                Code Manipulations

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 6140 Parent PID: 5584

                                General

                                Start time:10:36:00
                                Start date:09/06/2021
                                Path:C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe'
                                Imagebase:0x830000
                                File size:919552 bytes
                                MD5 hash:FB1EB909E34C22F21310565CF4B71563
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Analysis Process: schtasks.exe PID: 5904 Parent PID: 6140

                                General

                                Start time:10:36:15
                                Start date:09/06/2021
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KbWjJvsRSE' /XML 'C:\Users\user\AppData\Local\Temp\tmp220B.tmp'
                                Imagebase:0xf40000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: conhost.exe PID: 1832 Parent PID: 5904

                                General

                                Start time:10:36:15
                                Start date:09/06/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b2800000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084 Parent PID: 6140

                                General

                                Start time:10:36:16
                                Start date:09/06/2021
                                Path:C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe
                                Imagebase:0xc60000
                                File size:919552 bytes
                                MD5 hash:FB1EB909E34C22F21310565CF4B71563
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Disassembly

                                Code Analysis

                                Reset < >