Windows Analysis Report Proof of payment.jpg.scr

Overview

General Information

Sample Name:	Proof of payment.jpg.scr (renamed file extension from scr to exe)
Analysis ID:	501103
MD5:	f16a886b0c04454901ac6d0923297c0e
SHA1:	47ed9cbe0c0430444ffd842a231c06a258fe6a5d
SHA256:	9f4c690fdf0c329b419eb7cbf02c874dd7be5ec7bb3585a0c94a0aba266604d4
Tags:	exenanocore
Infos:
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Multi AV Scanner detection for domain / URL

Yara detected Nanocore RAT

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for domain / URL

Source: harold.2waky.com

Virustotal: Detection: 14%

Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY

Compliance:

Uses 32bit PE files

Source: Proof of payment.jpg.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\Proof of payment.jpg.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: Malware configuration extractor	URLs: harold.accesscam.org
Source: Malware configuration extractor	URLs: harold.2waky.com

Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Proof of payment.jpg.exe, 00000000.00000002.264668051.0000000006A00000.00000004.00020000.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: Proof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Proof of payment.jpg.exe, 00000000.00000003.248777304.0000000004D09000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerst
Source: Proof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTFK
Source: Proof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Proof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.commN
Source: Proof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Proof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Proof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/-tR
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Proof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnX
Source: Proof of payment.jpg.exe, 00000000.00000003.243112899.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cne
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/E
Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0eb
Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ana
Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: Proof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Proof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com-d
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr2011
Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krlearn
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000003.241616923.0000000004D1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Proof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comc
Source: Proof of payment.jpg.exe, 00000000.00000003.241594978.0000000004D1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comj
Source: Proof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.commN
Source: Proof of payment.jpg.exe, 00000000.00000003.242010011.0000000004D1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comymP
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_00144351	0_2_00144351
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_001466F9	0_2_001466F9
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_0252897A	0_2_0252897A
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_02520110	0_2_02520110
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_02522E75	0_2_02522E75
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_02522E78	0_2_02522E78
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_025230C0	0_2_025230C0
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_02520102	0_2_02520102

Source: Proof of payment.jpg.exe, 00000000.00000002.259975282.0000000000828000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs Proof of payment.jpg.exe
Source: Proof of payment.jpg.exe, 00000000.00000002.265029079.0000000006BA0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs Proof of payment.jpg.exe
Source: Proof of payment.jpg.exe, 00000000.00000002.259658160.00000000001EA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIdenti.exe4 vs Proof of payment.jpg.exe
Source: Proof of payment.jpg.exe	Binary or memory string: OriginalFilenameIdenti.exe4 vs Proof of payment.jpg.exe

Source: Proof of payment.jpg.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eoPqnTxJGg.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Proof of payment.jpg.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: eoPqnTxJGg.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: unknown	Process created: C:\Users\user\Desktop\Proof of payment.jpg.exe 'C:\Users\user\Desktop\Proof of payment.jpg.exe'
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ed2d5ce0-ca4d-4264-be01-91a018d59d09}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Proof of payment.jpg.exe, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: eoPqnTxJGg.exe.0.dr, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Proof of payment.jpg.exe.140000.0.unpack, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Proof of payment.jpg.exe.140000.0.unpack, WinMixer/frmMain.cs	.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_022529E3 push cs; ret	0_2_022529E6
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_02252477 push esi; ret	0_2_022524DE
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_02252C95 push es; ret	0_2_02252C96
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Code function: 0_2_02267C5B push ecx; ret	0_2_02267C69

Source: initial sample	Static PE information: section name: .text entropy: 7.85777209159
Source: initial sample	Static PE information: section name: .text entropy: 7.85777209159

Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Proof of payment.jpg.exe TID: 4036	Thread sleep time: -39648s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe TID: 5040	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 716			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 638			Jump to behavior

Windows Analysis Report Proof of payment.jpg.scr

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Thread delayed: delay time: 39648	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.jpg.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: FFF008	Jump to behavior

Source: RegSvcs.exe, 00000006.00000003.366721485.000000000659E000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000006.00000003.399886156.0000000006596000.00000004.00000001.sdmp	Binary or memory string: Program ManagerbR

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Name	IP	Active
harold.2waky.com	185.19.85.137	true
harold.accesscam.org	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
harold.accesscam.org	true	Avira URL Cloud: safe	unknown
harold.2waky.com	true	Avira URL Cloud: safe	unknown

ID:	501103
Product:	CloudBasic
Start time:	15:08:19
Start date:	12.10.2021
Sample:	Proof of payment.jpg.scr
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f16a886b0c04454901ac6d0923297c0e
SHA1:	47ed9cbe0c0430444ffd842a231c06a258fe6a5d
SHA256:	9f4c690fdf0c329b419eb7cbf02c874dd7be5ec7bb3585a0c94a0aba266604d4
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Proof of payment.jpg.exe.log	ASCII text, with CRLF line terminators	61CCF53571C9ABA6511D696CB0D32E45	A13A42A20EC14942F52DB20FB16A0A520F8183CE	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	1358393D4D1CFCCE7BD6823A860F20B2	E513A17C19EB5C677435DC73C2533D2A7C52B59F	66F6CF12179F5F9B8305C4A927D4084B553D9E90166D0D1B1056925D34A9B982
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	5E3C10DCF7AAB1A5E4671C3AD52D9BD2	7DE7F5ACAED711BC35E62756D1440E80262D85D1	B9EB9E732F6204735FFB2C9A6EC8F077E4B4F31E57E336199D22278EAD8412F9
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	data	108FC92C1878B6BB04738FB9430AD1A0	030EF679702BA4AC7629B9D6D3980231F35CE18C	FB9CF8B94C82519C911F1EE89763BF9EDFE05EAC3FDBF7A09229E6BE9AD2DCE2
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin	data	4E5E92E2369688041CC82EF9650EDED2	15E44F2F3194EE232B44E9684163B6F66472C862	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	653DDDCB6C89F6EC51F3DDC0053C5914	4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5	83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
C:\Users\user\AppData\Roaming\eoPqnTxJGg.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F16A886B0C04454901AC6D0923297C0E	47ED9CBE0C0430444FFD842A231C06A258FE6A5D	9F4C690FDF0C329B419EB7CBF02C874DD7BE5EC7BB3585A0C94A0ABA266604D4
C:\Users\user\AppData\Roaming\eoPqnTxJGg.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309