Loading ...

Play interactive tourEdit tour

Windows Analysis Report ORDER TSA-A090621B.exe

Overview

General Information

Sample Name:ORDER TSA-A090621B.exe
Analysis ID:451105
MD5:f5d3b895f4109e09f8918fc52147d154
SHA1:e4fe29023bd9af1916d7c12197949ddaed424e8b
SHA256:9713a28e0645cc77089dfd921118db8827de0a8b7e8196d653da2002646bd3cf
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ORDER TSA-A090621B.exe (PID: 3980 cmdline: 'C:\Users\user\Desktop\ORDER TSA-A090621B.exe' MD5: F5D3B895F4109E09F8918FC52147D154)
    • ORDER TSA-A090621B.exe (PID: 5464 cmdline: C:\Users\user\Desktop\ORDER TSA-A090621B.exe MD5: F5D3B895F4109E09F8918FC52147D154)
    • ORDER TSA-A090621B.exe (PID: 5692 cmdline: C:\Users\user\Desktop\ORDER TSA-A090621B.exe MD5: F5D3B895F4109E09F8918FC52147D154)
  • dhcpmon.exe (PID: 5228 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: F5D3B895F4109E09F8918FC52147D154)
    • dhcpmon.exe (PID: 2476 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: F5D3B895F4109E09F8918FC52147D154)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c9622013-90b3-4810-9b2a-2fbba172", "Domain1": "185.140.53.253", "Domain2": "dedicatedlambo9.ddns.net", "Port": 1604, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.499314536.0000000006B90000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5fee:$x1: NanoCore.ClientPluginHost
  • 0x602b:$x2: IClientNetworkHost
00000006.00000002.499314536.0000000006B90000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x5fee:$x2: NanoCore.ClientPluginHost
  • 0x9441:$s4: PipeCreated
  • 0x6018:$s5: IClientLoggingHost
00000006.00000002.500192513.0000000007710000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x8ba5:$x1: NanoCore.ClientPluginHost
  • 0x8bd2:$x2: IClientNetworkHost
00000006.00000002.500192513.0000000007710000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x8ba5:$x2: NanoCore.ClientPluginHost
  • 0x9b74:$s2: FileCommand
  • 0xe576:$s4: PipeCreated
  • 0x8bbf:$s5: IClientLoggingHost
00000015.00000002.396003210.00000000039E9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 46 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    6.2.ORDER TSA-A090621B.exe.6b00000.22.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x59eb:$x1: NanoCore.ClientPluginHost
    • 0x5b48:$x2: IClientNetworkHost
    6.2.ORDER TSA-A090621B.exe.6b00000.22.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x59eb:$x2: NanoCore.ClientPluginHost
    • 0x6941:$s3: PipeExists
    • 0x5be1:$s4: PipeCreated
    • 0x5a05:$s5: IClientLoggingHost
    6.2.ORDER TSA-A090621B.exe.6b20000.24.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5b99:$x1: NanoCore.ClientPluginHost
    • 0x5bb3:$x2: IClientNetworkHost
    6.2.ORDER TSA-A090621B.exe.6b20000.24.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x5b99:$x2: NanoCore.ClientPluginHost
    • 0x6bce:$s4: PipeCreated
    • 0x5b86:$s5: IClientLoggingHost
    6.2.ORDER TSA-A090621B.exe.65e4629.19.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    Click to see the 126 entries

    Sigma Overview

    AV Detection:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ORDER TSA-A090621B.exe, ProcessId: 5692, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ORDER TSA-A090621B.exe, ProcessId: 5692, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Stealing of Sensitive Information:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ORDER TSA-A090621B.exe, ProcessId: 5692, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ORDER TSA-A090621B.exe, ProcessId: 5692, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000015.00000002.396003210.00000000039E9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c9622013-90b3-4810-9b2a-2fbba172", "Domain1": "185.140.53.253", "Domain2": "dedicatedlambo9.ddns.net", "Port": 1604, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Multi AV Scanner detection for domain / URLShow sources
    Source: dedicatedlambo9.ddns.netVirustotal: Detection: 6%Perma Link
    Source: dedicatedlambo9.ddns.netVirustotal: Detection: 6%Perma Link
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 17%
    Multi AV Scanner detection for submitted fileShow sources
    Source: ORDER TSA-A090621B.exeVirustotal: Detection: 20%Perma Link
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 6.2.ORDER TSA-A090621B.exe.65e4629.19.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.ORDER TSA-A090621B.exe.44b8a40.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.ORDER TSA-A090621B.exe.65e0000.18.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.ORDER TSA-A090621B.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.ORDER TSA-A090621B.exe.65e0000.18.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 21.2.dhcpmon.exe.3a2ff6c.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.ORDER TSA-A090621B.exe.44bd069.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 21.2.dhcpmon.exe.3a2b136.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 21.2.dhcpmon.exe.3a34595.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 6.2.ORDER TSA-A090621B.exe.44b8a40.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 21.2.dhcpmon.exe.3a2ff6c.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000015.00000002.396003210.00000000039E9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000015.00000002.394406077.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000015.00000002.395871359.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.498755747.00000000065E0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.482529229.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.494838294.00000000044A5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000006.00000002.489008599.0000000003451000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: ORDER TSA-A090621B.exe PID: 5692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2476, type: MEMORY
    Machine Learning detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: ORDER TSA-A090621B.exeJoe Sandbox ML: detected
    Source: 6.2.ORDER TSA-A090621B.exe.65e0000.18.unpackAvira: Label: TR/NanoCore.fadte
    Source: 21.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 6.2.ORDER TSA-A090621B.exe.44b8a40.6.unpackAvira: Label: TR/NanoCore.fadte
    Source: 6.2.ORDER TSA-A090621B.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: ORDER TSA-A090621B.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: ORDER TSA-A090621B.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: ORDER TSA-A090621B.exe, 00000006.00000002.495158734.00000000045F7000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ORDER TSA-A090621B.exe, 00000006.00000002.495158734.00000000045F7000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ORDER TSA-A090621B.exe, 00000006.00000002.495158734.00000000045F7000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ORDER TSA-A090621B.exe, 00000006.00000002.495158734.00000000045F7000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ORDER TSA-A090621B.exe, 00000006.00000002.495158734.00000000045F7000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ORDER TSA-A090621B.exe, 00000006.00000002.495158734.00000000045F7000.00000004.00000001.sdmp

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: dedicatedlambo9.ddns.net
    Source: Malware configuration extractorURLs: 185.140.53.253
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: dedicatedlambo9.ddns.net
    Source: global trafficTCP traffic: 192.168.2.3:49725 -> 185.140.53.253:1604
    Source: global trafficTCP traffic: 192.168.2.3:49732 -> 84.38.133.182:1604
    Source: Joe Sandbox ViewIP Address: 185.140.53.253 185.140.53.253
    Source: Joe Sandbox ViewASN Name: DATACLUB-NL DATACLUB-NL
    Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.253
    Source: unknownDNS traffic detected: queries for: dedicatedlambo9.ddns.net
    Source: ORDER TSA-A090621B.exe, 00000006.00000002.495158734.00000000045F7000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.222050397.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.224250843.0000000005EB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.223095895.0000000005EEE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/c
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.223387249.0000000005EC9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmla-d
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.224250843.0000000005EB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.224250843.0000000005EB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.223942585.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.224250843.0000000005EB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdr
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.224250843.0000000005EB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comonyd
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.224250843.0000000005EB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueTF
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.219349774.000000000163D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.219531458.0000000005EB7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn#
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.219878349.0000000005EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.219748597.0000000005EB8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/s
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.219878349.0000000005EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnA
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.219878349.0000000005EB6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnU
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.219326151.0000000005EBE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.224689665.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmp, ORDER TSA-A090621B.exe, 00000000.00000003.221519161.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/71
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0d
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/arge
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.222050397.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/71
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ns.
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vau
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.221807307.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vnoi
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.216916556.0000000005EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.216916556.0000000005EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comD
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.216916556.0000000005EB3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comc
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.222050397.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comd
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.222050397.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comx.
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.218772474.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.218772474.0000000005ECB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.223942585.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
    Source: ORDER TSA-A090621B.exe, 00000000.00000003.223942585.0000000005EB5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.delar