Loading ...

Play interactive tourEdit tour

Analysis Report InvoicePOzGlybgcIc1vHasG.exe

Overview

General Information

Sample Name:InvoicePOzGlybgcIc1vHasG.exe
Analysis ID:431840
MD5:372a0f073e924d0411a1fb660840a4cb
SHA1:4d7784beff50b79d456d7d18eeddf8fbaf66afb9
SHA256:babc65e527c875dbdd52604ef5ff4d2549958aaa59807a513d9008734754198c
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • InvoicePOzGlybgcIc1vHasG.exe (PID: 2168 cmdline: 'C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe' MD5: 372A0F073E924D0411A1FB660840A4CB)
    • schtasks.exe (PID: 5400 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OWNYQkAV' /XML 'C:\Users\user\AppData\Local\Temp\tmp6CCF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1fb9e357-3073-471b-ab6f-630ca123", "Group": "kmt", "Domain1": "kkmmtt.duckdns.org", "Domain2": "kmttk.hopto.org", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 15 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x170b:$x2: NanoCore.ClientPluginHost
      • 0x34b6:$s4: PipeCreated
      • 0x16f8:$s5: IClientLoggingHost
      4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x2dbb:$x1: NanoCore.ClientPluginHost
      • 0x2de5:$x2: IClientNetworkHost
      4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x2dbb:$x2: NanoCore.ClientPluginHost
      • 0x4c6b:$s4: PipeCreated
      0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 61 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe, ProcessId: 6056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe, ProcessId: 6056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe, ProcessId: 6056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe, ProcessId: 6056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1fb9e357-3073-471b-ab6f-630ca123", "Group": "kmt", "Domain1": "kkmmtt.duckdns.org", "Domain2": "kmttk.hopto.org", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: kmttk.hopto.orgVirustotal: Detection: 6%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\OWNYQkAV.exeReversingLabs: Detection: 10%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORY
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.464d4f2.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3d77e00.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.raw.unpack, type: UNPACKEDPE
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: InvoicePOzGlybgcIc1vHasG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: InvoicePOzGlybgcIc1vHasG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: ll\System.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482087676.0000000001507000.00000004.00000020.sdmp
      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: ll\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482087676.0000000001507000.00000004.00000020.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.252560663.0000000008050000.00000002.00000001.sdmp, InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.487773998.00000000057F0000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4x nop then mov esp, ebp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49722 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 194.5.98.87:6060
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: kmttk.hopto.org
      Source: Malware configuration extractorURLs: kkmmtt.duckdns.org
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: kkmmtt.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.3:49722 -> 194.5.98.87:6060
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_03262936 WSARecv,
      Source: unknownDNS traffic detected: queries for: kkmmtt.duckdns.org
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213265466.0000000000FCD000.00000004.00000001.sdmpString found in binary or memory: http://en.wWD
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.241552978.00000000051E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmp, InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.217977217.00000000051E9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.218281882.00000000051ED000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersJ
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.217977217.00000000051E9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.241552978.00000000051E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.241552978.00000000051E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213654778.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnn(6
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215519323.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215751413.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215751413.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/i
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215498919.000000000521D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-p
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ana
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmp, InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coms
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.214817791.00000000051E6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krH
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213972429.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com)(u
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.214457549.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnm
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORY
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.464d4f2.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3d77e00.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.485726963.0000000003649000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a1f463.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a36ac7.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3606108.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.360128c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a1f463.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.360128c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.369ae78.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.369ae78.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3686810.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a36ac7.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3686810.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3686810.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3d77e00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.464d4f2.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3d77e00.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: InvoicePOzGlybgcIc1vHasG.exe
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04D7197A NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04D7194D NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_0326116A NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_0326112F NtQuerySystemInformation,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F685C9
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F60AC8
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F682A8
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F6F250
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F6F621
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F60AB8
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F68298
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F69640
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F6962F
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F693F8
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04F693E8
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A62AE8
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A60B80
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A6BF60
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A61370
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A6C340
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A6BC00
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A60070
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A61C78
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A6C990
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A62AC1
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A6AA20
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A64A08
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A64261
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A64270
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A61781
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A687EE
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A687F0
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A647F8
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A60B25
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A6CCA8
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A65880
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A64C28
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A64C38
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A60007
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A64808
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A6A470
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A64DB0
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A68D90
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A649FB
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A699F8
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A64DC0
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A69D30
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A69568
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_031FAF18
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_031F2FA8
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_031F9248
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_031F8648
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_031F3850
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_031F930F
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_031F306F
      Source: InvoicePOzGlybgcIc1vHasG.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: OWNYQkAV.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: InvoicePOzGlybgcIc1vHasG.exeBinary or memory string: OriginalFilename vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.248431465.0000000003F61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.252608708.00000000080B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.242439797.00000000006C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStateMachineAttribute.exe. vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.252953056.0000000008860000.00000002.00000001.sdmpBinary or memory string: originalfilename vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.252953056.0000000008860000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.252560663.0000000008050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.252775062.0000000008770000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exeBinary or memory string: OriginalFilename vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000003.00000000.239617941.0000000000352000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStateMachineAttribute.exe. vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exeBinary or memory string: OriginalFilename vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000000.240611140.0000000000DB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStateMachineAttribute.exe. vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482885403.0000000003240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.487773998.00000000057F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.487317727.0000000004905000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.487317727.0000000004905000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.487317727.0000000004905000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.487317727.0000000004905000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.487317727.0000000004905000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.487317727.0000000004905000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exeBinary or memory string: OriginalFilenameStateMachineAttribute.exe. vs InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.485726963.0000000003649000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a1f463.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a1f463.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a36ac7.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a36ac7.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3606108.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3606108.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.360128c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.360128c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a1f463.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a1f463.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.360128c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.360128c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.369ae78.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.369ae78.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.369ae78.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3686810.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3686810.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a36ac7.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a36ac7.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3686810.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3686810.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3686810.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3d77e00.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.464d4f2.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3d77e00.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: InvoicePOzGlybgcIc1vHasG.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: OWNYQkAV.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@8/6@17/1
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04D71566 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_04D7152F AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_03260F2A AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_03260EF3 AdjustTokenPrivileges,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile created: C:\Users\user\AppData\Roaming\OWNYQkAV.exeJump to behavior
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeMutant created: \Sessions\1\BaseNamedObjects\jgKvObfCZeDLBWSlGaIkZ
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_01
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1fb9e357-3073-471b-ab6f-630ca1239b07}
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6CCF.tmpJump to behavior
      Source: InvoicePOzGlybgcIc1vHasG.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
      Source: InvoicePOzGlybgcIc1vHasG.exeString found in binary or memory: -start_number {0} -i "{1}{2}"
      Source: InvoicePOzGlybgcIc1vHasG.exeString found in binary or memory: <!--StartFragment -->
      Source: InvoicePOzGlybgcIc1vHasG.exeString found in binary or memory: -start_number {0} -i "{1}{2}"
      Source: InvoicePOzGlybgcIc1vHasG.exeString found in binary or memory: <!--StartFragment -->
      Source: InvoicePOzGlybgcIc1vHasG.exeString found in binary or memory: -start_number {0} -i "{1}{2}"
      Source: InvoicePOzGlybgcIc1vHasG.exeString found in binary or memory: <!--StartFragment -->
      Source: InvoicePOzGlybgcIc1vHasG.exeString found in binary or memory: <<<<<<<3+<!--StartFragment -->
      Source: InvoicePOzGlybgcIc1vHasG.exeString found in binary or memory: %0{0}d;-start_number {0} -i "{1}{2}"
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile read: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe 'C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe'
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OWNYQkAV' /XML 'C:\Users\user\AppData\Local\Temp\tmp6CCF.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess created: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess created: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OWNYQkAV' /XML 'C:\Users\user\AppData\Local\Temp\tmp6CCF.tmp'
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess created: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess created: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
      Source: InvoicePOzGlybgcIc1vHasG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
      Source: InvoicePOzGlybgcIc1vHasG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: ll\System.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482087676.0000000001507000.00000004.00000020.sdmp
      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: ll\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482087676.0000000001507000.00000004.00000020.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.252560663.0000000008050000.00000002.00000001.sdmp, InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.487773998.00000000057F0000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_00FA957C push eax; ret
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A60AE3 push es; retf
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A67AE3 push es; retf
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A67BC3 push es; ret
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A657D8 push es; ret
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_06A629F7 push es; retf
      Source: initial sampleStatic PE information: section name: .text entropy: 7.62703305973
      Source: initial sampleStatic PE information: section name: .text entropy: 7.62703305973
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile created: C:\Users\user\AppData\Roaming\OWNYQkAV.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OWNYQkAV' /XML 'C:\Users\user\AppData\Local\Temp\tmp6CCF.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
      Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (35).png
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile opened: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 2168, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeWindow / User API: threadDelayed 364
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeWindow / User API: foregroundWindowGot 934
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe TID: 5532Thread sleep time: -101466s >= -30000s
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe TID: 5500Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe TID: 1632Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe TID: 3664Thread sleep time: -600000s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_03260BB6 GetSystemInfo,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeThread delayed: delay time: 101466
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeThread delayed: delay time: 922337203685477
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482087676.0000000001507000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWR
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482087676.0000000001507000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeMemory written: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OWNYQkAV' /XML 'C:\Users\user\AppData\Local\Temp\tmp6CCF.tmp'
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess created: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeProcess created: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482572401.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482572401.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482572401.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482572401.0000000001C10000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 0_2_00F9B51E GetUserNameW,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORY
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.464d4f2.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3d77e00.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORY
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.464d4f2.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3d77e00.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.raw.unpack, type: UNPACKEDPE
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_0326247A bind,
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_03262428 bind,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSecurity Software Discovery211Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\OWNYQkAV.exe11%ReversingLabsWin32.Trojan.Wacatac

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      kkmmtt.duckdns.org1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.tiro.com)(u0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/a-e0%Avira URL Cloudsafe
      kmttk.hopto.org7%VirustotalBrowse
      kmttk.hopto.org0%Avira URL Cloudsafe
      kkmmtt.duckdns.org0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.tiro.comnm0%Avira URL Cloudsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/ana0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/ana0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/ana0%URL Reputationsafe
      http://www.fonts.comn0%URL Reputationsafe
      http://www.fonts.comn0%URL Reputationsafe
      http://www.fonts.comn0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.founder.com.cn/cn/i0%Avira URL Cloudsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.krH0%Avira URL Cloudsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.founder.com.cn/cnl-p0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/Y0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/V0%URL Reputationsafe
      http://en.wWD0%Avira URL Cloudsafe
      http://www.sajatypeworks.coms0%Avira URL Cloudsafe
      http://www.founder.com.c0%URL Reputationsafe
      http://www.founder.com.c0%URL Reputationsafe
      http://www.founder.com.c0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.founder.com.cn/cn/0%URL Reputationsafe
      http://www.founder.com.cn/cn/0%URL Reputationsafe
      http://www.founder.com.cn/cn/0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.fonts.comnn(60%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
      http://www.fontbureau.comm0%URL Reputationsafe
      http://www.fontbureau.comm0%URL Reputationsafe
      http://www.fontbureau.comm0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.sajatypeworks.coma-d0%URL Reputationsafe
      http://www.sajatypeworks.coma-d0%URL Reputationsafe
      http://www.sajatypeworks.coma-d0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      kkmmtt.duckdns.org
      194.5.98.87
      truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      kmttk.hopto.orgtrue
      • 7%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      kkmmtt.duckdns.orgtrue
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.fontbureau.com/designersGInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
        high
        http://www.tiro.com)(uInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213972429.00000000051FB000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        low
        http://www.fontbureau.com/designers/?InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
          high
          http://www.founder.com.cn/cn/bTheInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.fontbureau.com/designersJInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.218281882.00000000051ED000.00000004.00000001.sdmpfalse
            high
            http://www.jiyu-kobo.co.jp/a-eInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.fontbureau.com/designers?InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
              high
              http://www.tiro.comInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designersInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmp, InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.217977217.00000000051E9000.00000004.00000001.sdmpfalse
                high
                http://www.goodfont.co.krInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designersPInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.217977217.00000000051E9000.00000004.00000001.sdmpfalse
                  high
                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpfalse
                    high
                    http://www.tiro.comnmInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.214457549.00000000051FB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.sajatypeworks.comInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmp, InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.typography.netDInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.founder.com.cn/cn/cTheInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.galapagosdesign.com/staff/dennis.htmInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://fontfabrik.comInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/anaInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fonts.comnInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213654778.00000000051FB000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.galapagosdesign.com/DPleaseInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.founder.com.cn/cn/iInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215751413.00000000051E4000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fonts.comInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpfalse
                      high
                      http://www.sandoll.co.krInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.sandoll.co.krHInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.214817791.00000000051E6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.urwpp.deDPleaseInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.zhongyicts.com.cnInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.sakkal.comInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.founder.com.cn/cnl-pInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215498919.000000000521D000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/YInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.apache.org/licenses/LICENSE-2.0InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                        high
                        http://www.fontbureau.comInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.241552978.00000000051E0000.00000004.00000001.sdmpfalse
                          high
                          http://www.jiyu-kobo.co.jp/VInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://en.wWDInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213265466.0000000000FCD000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.sajatypeworks.comsInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.founder.com.cInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215519323.00000000051E4000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/jp/InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.comaInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.241552978.00000000051E0000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.carterandcone.comlInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.founder.com.cn/cn/InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215751413.00000000051E4000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                            high
                            http://www.founder.com.cn/cnInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                              high
                              http://www.fonts.comnn(6InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              low
                              http://www.jiyu-kobo.co.jp/tInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.commInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.241552978.00000000051E0000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.jiyu-kobo.co.jp/InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.sajatypeworks.coma-dInvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers8InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpfalse
                                high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                194.5.98.87
                                kkmmtt.duckdns.orgNetherlands
                                208476DANILENKODEtrue

                                General Information

                                Joe Sandbox Version:32.0.0 Black Diamond
                                Analysis ID:431840
                                Start date:09.06.2021
                                Start time:12:25:52
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 10m 8s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:InvoicePOzGlybgcIc1vHasG.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:25
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@8/6@17/1
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 2.7% (good quality ratio 2.6%)
                                • Quality average: 53.5%
                                • Quality standard deviation: 21.1%
                                HCA Information:
                                • Successful, ratio: 92%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • TCP Packets have been reduced to 100
                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 92.122.145.220, 104.42.151.234, 13.64.90.137, 40.88.32.150, 52.255.188.83, 104.43.193.48, 104.43.139.144, 20.82.210.154, 184.30.20.56, 93.184.221.240, 20.54.26.129, 92.122.213.194, 92.122.213.247
                                • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                12:26:51API Interceptor958x Sleep call for process: InvoicePOzGlybgcIc1vHasG.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                194.5.98.87POInvoiceOrderIuVvcl0VWEOAmXy.exeGet hashmaliciousBrowse
                                  Invoice_orderYscFwfO1peuGl0w.exeGet hashmaliciousBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    kkmmtt.duckdns.orgPOInvoiceOrderIuVvcl0VWEOAmXy.exeGet hashmaliciousBrowse
                                    • 194.5.98.87

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    DANILENKODEPOInvoiceOrderIuVvcl0VWEOAmXy.exeGet hashmaliciousBrowse
                                    • 194.5.98.87
                                    payment invoice.exeGet hashmaliciousBrowse
                                    • 194.5.98.23
                                    #RFQ ORDER484475577797.exeGet hashmaliciousBrowse
                                    • 194.5.98.120
                                    b6yzWugw8V.exeGet hashmaliciousBrowse
                                    • 194.5.98.107
                                    0041#Receipt.pif.exeGet hashmaliciousBrowse
                                    • 194.5.98.180
                                    j07ghiByDq.exeGet hashmaliciousBrowse
                                    • 194.5.97.146
                                    j07ghiByDq.exeGet hashmaliciousBrowse
                                    • 194.5.97.146
                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                    • 194.5.97.18
                                    SecuriteInfo.com.Trojan.PackedNET.820.24493.exeGet hashmaliciousBrowse
                                    • 194.5.97.61
                                    DHL_file.exeGet hashmaliciousBrowse
                                    • 194.5.98.145
                                    BBS FX.xlsxGet hashmaliciousBrowse
                                    • 194.5.97.61
                                    GpnPv433gb.exeGet hashmaliciousBrowse
                                    • 194.5.98.11
                                    Kj7tTd1Zimp0ciI.exeGet hashmaliciousBrowse
                                    • 194.5.97.197
                                    Resume.exeGet hashmaliciousBrowse
                                    • 194.5.98.8
                                    SecuriteInfo.com.Trojan.DownLoader39.38629.28832.exeGet hashmaliciousBrowse
                                    • 194.5.98.145
                                    SecuriteInfo.com.Variant.Razy.840898.18291.exeGet hashmaliciousBrowse
                                    • 194.5.98.144
                                    8LtwhjD2Qm.exeGet hashmaliciousBrowse
                                    • 194.5.98.107
                                    Receiptn.exeGet hashmaliciousBrowse
                                    • 194.5.98.180
                                    soa5.exeGet hashmaliciousBrowse
                                    • 194.5.98.48
                                    soa5.exeGet hashmaliciousBrowse
                                    • 194.5.98.48

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InvoicePOzGlybgcIc1vHasG.exe.log
                                    Process:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):664
                                    Entropy (8bit):5.288448637977022
                                    Encrypted:false
                                    SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                    MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                    SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                    SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                    SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                                    C:\Users\user\AppData\Local\Temp\tmp6CCF.tmp
                                    Process:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1641
                                    Entropy (8bit):5.198638736339874
                                    Encrypted:false
                                    SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB9Ntn:cbh47TlNQ//rydbz9I3YODOLNdq3H
                                    MD5:65B8E874E8C7B722282D9EAE22636205
                                    SHA1:3911D252BE06E717C92BCB33596F612990551227
                                    SHA-256:EACBBD33FFFD20262DB15EB1844EDA88C36B74111D4E9AEE14F5AC6D9571D8B8
                                    SHA-512:6DD349238F0A147B64D91D541710524F7A9E8D005721EB4773845CF0FA9A84774CC76B089CC9E0D29D005D62737C76C282530C61BE5A4958AA3A117E66A1CF20
                                    Malicious:true
                                    Reputation:low
                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                    Process:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2728
                                    Entropy (8bit):7.094528505897445
                                    Encrypted:false
                                    SSDEEP:48:Ik/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH8Uk/t3FmH87:ft3Ucrt3Ucrt3Ucrt3Ucrt3Ucrt3UcrN
                                    MD5:3F16EC9869DEDFFEC07792CA71B87AB5
                                    SHA1:124F3AAEB04E11DEA7361736CE472750D237D3D2
                                    SHA-256:1A187F3EF38284FF4EE2B20D6021C884E42FC72284F2DA858D7E389CE9C7D0E9
                                    SHA-512:8DDE0277C2F8CF1CEF64B1EDF120C4A239619FBE9513C833C94B9A429984ECB8AD2A346FD9E333270207951021CCB0CA08FFCDF2ADE538AAFC2B5FAAA1ADF0A2
                                    Malicious:false
                                    Reputation:low
                                    Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.wGj.h\.3.
                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                    Process:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    File Type:Non-ISO extended-ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):8
                                    Entropy (8bit):2.75
                                    Encrypted:false
                                    SSDEEP:3:D8:o
                                    MD5:175E573A6A264D22DEF1E0549EE24B19
                                    SHA1:D304CB912B1E7CB1B3A38E4F6A06C073D2CD868D
                                    SHA-256:08D59D3DF6BB432EB397E6FDC2900B8180BB9F6877D7A9875526ABE2EC9E2F3C
                                    SHA-512:E6F6C2498C0444946B4954134FDFB339B83FA47B13A964C1BD0AEABE44F1FEC579F3D22FFA0CD4BC3557AD4727EDE1D7F7AC25288F1AC8459ECDC958892A2905
                                    Malicious:true
                                    Reputation:low
                                    Preview: H,w.|+.H
                                    C:\Users\user\AppData\Roaming\OWNYQkAV.exe
                                    Process:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):907264
                                    Entropy (8bit):7.374036796875479
                                    Encrypted:false
                                    SSDEEP:12288:LSZ+XlMV40XINxqkNgCrmpa5aFW5JV9JINdEW0YjrzzyKVfUhweevXTxh:LSZ+XUuqGmpjF8JV9JINSUjrzjUueeP
                                    MD5:372A0F073E924D0411A1FB660840A4CB
                                    SHA1:4D7784BEFF50B79D456D7D18EEDDF8FBAF66AFB9
                                    SHA-256:BABC65E527C875DBDD52604EF5FF4D2549958AAA59807A513D9008734754198C
                                    SHA-512:71E4AC3E3C3B3AFD92B78F4F0C1892EC12A33AFB149A5C5B096CBEBE5574F377442746AC641B9EA9B191A329DE170E657AF4BD19736E6AB7EE5B9B717D20A1A0
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 11%
                                    Reputation:low
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>..`................. ..........N>... ...@....@.. ....................... ............@..................................=..O....@.............................................................................. ............... ..H............text...T.... ... .................. ..`.rsrc.......@......."..............@..@.reloc..............................@..B................0>......H.......0....J..............pQ...........................................*....("......(#......($......(%......(&....*N..(....o....('....*&..((....*.s)........s*........s+........s,........s-........*Z........o@...........*&..(A....*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*...{......,.+.....,.rq..psF...z..|....(...+*...{......,.+..
                                    C:\Users\user\AppData\Roaming\OWNYQkAV.exe:Zone.Identifier
                                    Process:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview: [ZoneTransfer]....ZoneId=0

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.374036796875479
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:InvoicePOzGlybgcIc1vHasG.exe
                                    File size:907264
                                    MD5:372a0f073e924d0411a1fb660840a4cb
                                    SHA1:4d7784beff50b79d456d7d18eeddf8fbaf66afb9
                                    SHA256:babc65e527c875dbdd52604ef5ff4d2549958aaa59807a513d9008734754198c
                                    SHA512:71e4ac3e3c3b3afd92b78f4f0c1892ec12a33afb149a5c5b096cbebe5574f377442746ac641b9ea9b191a329de170e657af4bd19736e6ab7ee5b9b717d20a1a0
                                    SSDEEP:12288:LSZ+XlMV40XINxqkNgCrmpa5aFW5JV9JINdEW0YjrzzyKVfUhweevXTxh:LSZ+XUuqGmpjF8JV9JINSUjrzjUueeP
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>..`................. ..........N>... ...@....@.. ....................... ............@................................

                                    File Icon

                                    Icon Hash:e4ccccc4d6c6ced0

                                    Static PE Info

                                    General

                                    Entrypoint:0x4c3e4e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x60C08B3E [Wed Jun 9 09:34:54 2021 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v2.0.50727
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc3dfc0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x1b3c8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe00000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xc1e540xc2000False0.819717249919data7.62703305973IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rsrc0xc40000x1b3c80x1b400False0.163390553326data3.49742133558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xe00000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0xc42500x2682PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                    RT_ICON0xc68d40x10828dBase III DBT, version number 0, next free block index 40
                                    RT_ICON0xd70fc0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                    RT_ICON0xdb3240x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                    RT_ICON0xdd8cc0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 2583634198, next used block 268378390
                                    RT_ICON0xde9740x468GLS_BINARY_LSB_FIRST
                                    RT_GROUP_ICON0xdeddc0x5adata
                                    RT_GROUP_ICON0xdee380x3edata
                                    RT_VERSION0xdee780x360data
                                    RT_MANIFEST0xdf1d80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyrightCopyright Kanal 2 2012
                                    Assembly Version2.0.0.0
                                    InternalNameStateMachineAttribute.exe
                                    FileVersion2.0.0.0
                                    CompanyNameKanal 2
                                    LegalTrademarks
                                    Comments
                                    ProductNameeg2012
                                    ProductVersion2.0.0.0
                                    FileDescriptioneg2012
                                    OriginalFilenameStateMachineAttribute.exe

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    06/09/21-12:27:05.347540TCP2025019ET TROJAN Possible NanoCore C2 60B497226060192.168.2.3194.5.98.87
                                    06/09/21-12:27:11.955274TCP2025019ET TROJAN Possible NanoCore C2 60B497276060192.168.2.3194.5.98.87
                                    06/09/21-12:27:18.591909TCP2025019ET TROJAN Possible NanoCore C2 60B497296060192.168.2.3194.5.98.87
                                    06/09/21-12:27:26.227769TCP2025019ET TROJAN Possible NanoCore C2 60B497306060192.168.2.3194.5.98.87
                                    06/09/21-12:27:32.508491TCP2025019ET TROJAN Possible NanoCore C2 60B497336060192.168.2.3194.5.98.87
                                    06/09/21-12:27:38.991952TCP2025019ET TROJAN Possible NanoCore C2 60B497346060192.168.2.3194.5.98.87
                                    06/09/21-12:27:45.373698TCP2025019ET TROJAN Possible NanoCore C2 60B497386060192.168.2.3194.5.98.87
                                    06/09/21-12:27:51.829018TCP2025019ET TROJAN Possible NanoCore C2 60B497436060192.168.2.3194.5.98.87
                                    06/09/21-12:27:58.228453TCP2025019ET TROJAN Possible NanoCore C2 60B497446060192.168.2.3194.5.98.87
                                    06/09/21-12:28:04.638960TCP2025019ET TROJAN Possible NanoCore C2 60B497456060192.168.2.3194.5.98.87
                                    06/09/21-12:28:11.071658TCP2025019ET TROJAN Possible NanoCore C2 60B497466060192.168.2.3194.5.98.87
                                    06/09/21-12:28:17.698343TCP2025019ET TROJAN Possible NanoCore C2 60B497476060192.168.2.3194.5.98.87
                                    06/09/21-12:28:24.292595TCP2025019ET TROJAN Possible NanoCore C2 60B497506060192.168.2.3194.5.98.87
                                    06/09/21-12:28:30.871638TCP2025019ET TROJAN Possible NanoCore C2 60B497516060192.168.2.3194.5.98.87
                                    06/09/21-12:28:37.316002TCP2025019ET TROJAN Possible NanoCore C2 60B497526060192.168.2.3194.5.98.87
                                    06/09/21-12:28:45.059671TCP2025019ET TROJAN Possible NanoCore C2 60B497536060192.168.2.3194.5.98.87
                                    06/09/21-12:28:51.529358TCP2025019ET TROJAN Possible NanoCore C2 60B497546060192.168.2.3194.5.98.87

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jun 9, 2021 12:27:04.508510113 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:04.746664047 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:04.746870995 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:05.347539902 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:05.637207985 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:05.639338017 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:05.754967928 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:05.756402969 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:05.934957981 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:05.935113907 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.055191040 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.055299997 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.178241968 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.178417921 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.339091063 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.339200020 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.473205090 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.473359108 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.630593061 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.630697966 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.717467070 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.717575073 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.728421926 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.728492975 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.728540897 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.728590965 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.732405901 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.732553005 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.753096104 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.910173893 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.910279989 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.978519917 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.978715897 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.985224962 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.985318899 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.988524914 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.988614082 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:06.996516943 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:06.996611118 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.005815029 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.005904913 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.018491983 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.018662930 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.028708935 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.031577110 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.034187078 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.127592087 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.204392910 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.204476118 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.229378939 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.229479074 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.231410027 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.231507063 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.243798971 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.243956089 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.252667904 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.252743006 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.261415958 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.261540890 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.270891905 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.271042109 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.281230927 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.281394958 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.292896032 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.293471098 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.299825907 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.301585913 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.306487083 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.306602001 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.318564892 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.319916010 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.328350067 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.328600883 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.330476046 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.331923008 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.335791111 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.337503910 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.348402977 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.348504066 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:07.349884987 CEST606049722194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:07.351563931 CEST497226060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:11.716170073 CEST497276060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:11.954631090 CEST606049727194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:11.954746008 CEST497276060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:11.955274105 CEST497276060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:12.255032063 CEST606049727194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:12.255147934 CEST497276060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:12.296803951 CEST606049727194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:12.296947002 CEST497276060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:12.532712936 CEST606049727194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:12.532912970 CEST497276060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:12.779066086 CEST606049727194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:12.779150009 CEST497276060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:13.068140030 CEST606049727194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:13.068226099 CEST497276060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:13.348069906 CEST606049727194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:13.348166943 CEST497276060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:13.434631109 CEST606049727194.5.98.87192.168.2.3
                                    Jun 9, 2021 12:27:13.434756994 CEST497276060192.168.2.3194.5.98.87
                                    Jun 9, 2021 12:27:13.436486959 CEST606049727194.5.98.87192.168.2.3

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jun 9, 2021 12:26:30.329935074 CEST6493853192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:30.374217033 CEST53649388.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:30.947962046 CEST6015253192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:30.990341902 CEST53601528.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:32.169609070 CEST5754453192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:32.213593960 CEST53575448.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:33.447658062 CEST5598453192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:33.490641117 CEST53559848.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:34.516899109 CEST6418553192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:34.560410023 CEST53641858.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:36.972568989 CEST6511053192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:37.015171051 CEST53651108.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:40.971595049 CEST5836153192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:41.024444103 CEST53583618.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:44.025785923 CEST6349253192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:44.068353891 CEST53634928.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:44.901585102 CEST6083153192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:44.944592953 CEST53608318.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:46.753384113 CEST6010053192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:46.796030045 CEST53601008.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:47.693731070 CEST5319553192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:47.736138105 CEST53531958.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:48.950440884 CEST5014153192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:48.992955923 CEST53501418.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:49.865845919 CEST5302353192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:49.908509970 CEST53530238.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:50.739286900 CEST4956353192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:50.782165051 CEST53495638.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:51.986284018 CEST5135253192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:52.029021978 CEST53513528.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:53.234291077 CEST5934953192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:53.276851892 CEST53593498.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:54.108412027 CEST5708453192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:54.150525093 CEST53570848.8.8.8192.168.2.3
                                    Jun 9, 2021 12:26:55.005482912 CEST5882353192.168.2.38.8.8.8
                                    Jun 9, 2021 12:26:55.050013065 CEST53588238.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:04.287075996 CEST5756853192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:04.500524044 CEST53575688.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:07.829258919 CEST5054053192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:07.885978937 CEST53505408.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:11.482922077 CEST5436653192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:11.692248106 CEST53543668.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:11.811383963 CEST5303453192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:11.884952068 CEST53530348.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:18.094793081 CEST5776253192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:18.325519085 CEST53577628.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:25.791501999 CEST5543553192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:26.002885103 CEST53554358.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:26.129486084 CEST5071353192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:26.176453114 CEST53507138.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:27.531553030 CEST5613253192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:27.582923889 CEST53561328.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:32.241118908 CEST5898753192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:32.283983946 CEST53589878.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:38.528435946 CEST5657953192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:38.743886948 CEST53565798.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:44.760835886 CEST6063353192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:44.819168091 CEST53606338.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:45.105695009 CEST6129253192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:45.149060965 CEST53612928.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:49.277759075 CEST6361953192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:49.321965933 CEST53636198.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:51.494065046 CEST6493853192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:51.538211107 CEST53649388.8.8.8192.168.2.3
                                    Jun 9, 2021 12:27:57.957446098 CEST6194653192.168.2.38.8.8.8
                                    Jun 9, 2021 12:27:58.000147104 CEST53619468.8.8.8192.168.2.3
                                    Jun 9, 2021 12:28:04.355906010 CEST6491053192.168.2.38.8.8.8
                                    Jun 9, 2021 12:28:04.398801088 CEST53649108.8.8.8192.168.2.3
                                    Jun 9, 2021 12:28:10.802517891 CEST5212353192.168.2.38.8.8.8
                                    Jun 9, 2021 12:28:10.845539093 CEST53521238.8.8.8192.168.2.3
                                    Jun 9, 2021 12:28:17.245949030 CEST5613053192.168.2.38.8.8.8
                                    Jun 9, 2021 12:28:17.457616091 CEST53561308.8.8.8192.168.2.3
                                    Jun 9, 2021 12:28:19.782424927 CEST5633853192.168.2.38.8.8.8
                                    Jun 9, 2021 12:28:19.834125996 CEST53563388.8.8.8192.168.2.3
                                    Jun 9, 2021 12:28:20.799566031 CEST5942053192.168.2.38.8.8.8
                                    Jun 9, 2021 12:28:20.850713015 CEST53594208.8.8.8192.168.2.3
                                    Jun 9, 2021 12:28:23.821482897 CEST5878453192.168.2.38.8.8.8
                                    Jun 9, 2021 12:28:24.045945883 CEST53587848.8.8.8192.168.2.3
                                    Jun 9, 2021 12:28:30.405299902 CEST6397853192.168.2.38.8.8.8
                                    Jun 9, 2021 12:28:30.647680044 CEST53639788.8.8.8192.168.2.3
                                    Jun 9, 2021 12:28:36.913624048 CEST6293853192.168.2.38.8.8.8
                                    Jun 9, 2021 12:28:36.956681967 CEST53629388.8.8.8192.168.2.3
                                    Jun 9, 2021 12:28:44.615665913 CEST5570853192.168.2.38.8.8.8
                                    Jun 9, 2021 12:28:44.824454069 CEST53557088.8.8.8192.168.2.3
                                    Jun 9, 2021 12:28:51.258869886 CEST5680353192.168.2.38.8.8.8
                                    Jun 9, 2021 12:28:51.304605007 CEST53568038.8.8.8192.168.2.3

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Jun 9, 2021 12:27:04.287075996 CEST192.168.2.38.8.8.80xd595Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:11.482922077 CEST192.168.2.38.8.8.80xb573Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:18.094793081 CEST192.168.2.38.8.8.80x1f2bStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:25.791501999 CEST192.168.2.38.8.8.80xccc4Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:32.241118908 CEST192.168.2.38.8.8.80xc481Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:38.528435946 CEST192.168.2.38.8.8.80x49c6Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:45.105695009 CEST192.168.2.38.8.8.80xdb89Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:51.494065046 CEST192.168.2.38.8.8.80xbc84Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:57.957446098 CEST192.168.2.38.8.8.80xe658Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:04.355906010 CEST192.168.2.38.8.8.80xa1e8Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:10.802517891 CEST192.168.2.38.8.8.80x2e9dStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:17.245949030 CEST192.168.2.38.8.8.80x40adStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:23.821482897 CEST192.168.2.38.8.8.80x55abStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:30.405299902 CEST192.168.2.38.8.8.80x5dcdStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:36.913624048 CEST192.168.2.38.8.8.80x18d6Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:44.615665913 CEST192.168.2.38.8.8.80x704eStandard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:51.258869886 CEST192.168.2.38.8.8.80xa772Standard query (0)kkmmtt.duckdns.orgA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Jun 9, 2021 12:27:04.500524044 CEST8.8.8.8192.168.2.30xd595No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:11.692248106 CEST8.8.8.8192.168.2.30xb573No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:18.325519085 CEST8.8.8.8192.168.2.30x1f2bNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:26.002885103 CEST8.8.8.8192.168.2.30xccc4No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:32.283983946 CEST8.8.8.8192.168.2.30xc481No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:38.743886948 CEST8.8.8.8192.168.2.30x49c6No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:45.149060965 CEST8.8.8.8192.168.2.30xdb89No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:51.538211107 CEST8.8.8.8192.168.2.30xbc84No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:27:58.000147104 CEST8.8.8.8192.168.2.30xe658No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:04.398801088 CEST8.8.8.8192.168.2.30xa1e8No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:10.845539093 CEST8.8.8.8192.168.2.30x2e9dNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:17.457616091 CEST8.8.8.8192.168.2.30x40adNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:24.045945883 CEST8.8.8.8192.168.2.30x55abNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:30.647680044 CEST8.8.8.8192.168.2.30x5dcdNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:36.956681967 CEST8.8.8.8192.168.2.30x18d6No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:44.824454069 CEST8.8.8.8192.168.2.30x704eNo error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)
                                    Jun 9, 2021 12:28:51.304605007 CEST8.8.8.8192.168.2.30xa772No error (0)kkmmtt.duckdns.org194.5.98.87A (IP address)IN (0x0001)

                                    Code Manipulations

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Start time:12:26:46
                                    Start date:09/06/2021
                                    Path:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe'
                                    Imagebase:0x6c0000
                                    File size:907264 bytes
                                    MD5 hash:372A0F073E924D0411A1FB660840A4CB
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    Reputation:low

                                    General

                                    Start time:12:26:58
                                    Start date:09/06/2021
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OWNYQkAV' /XML 'C:\Users\user\AppData\Local\Temp\tmp6CCF.tmp'
                                    Imagebase:0x3d0000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Start time:12:26:58
                                    Start date:09/06/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6b2800000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Start time:12:26:59
                                    Start date:09/06/2021
                                    Path:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    Imagebase:0x350000
                                    File size:907264 bytes
                                    MD5 hash:372A0F073E924D0411A1FB660840A4CB
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low

                                    General

                                    Start time:12:27:00
                                    Start date:09/06/2021
                                    Path:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe
                                    Imagebase:0xdb0000
                                    File size:907264 bytes
                                    MD5 hash:372A0F073E924D0411A1FB660840A4CB
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.485726963.0000000003649000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                    Reputation:low

                                    Disassembly

                                    Code Analysis

                                    Reset < >