Loading ...

Play interactive tourEdit tour

Windows Analysis Report Proof of payment.jpg.scr

Overview

General Information

Sample Name:Proof of payment.jpg.scr (renamed file extension from scr to exe)
Analysis ID:501103
MD5:f16a886b0c04454901ac6d0923297c0e
SHA1:47ed9cbe0c0430444ffd842a231c06a258fe6a5d
SHA256:9f4c690fdf0c329b419eb7cbf02c874dd7be5ec7bb3585a0c94a0aba266604d4
Tags:exenanocore
Infos:

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Proof of payment.jpg.exe (PID: 2940 cmdline: 'C:\Users\user\Desktop\Proof of payment.jpg.exe' MD5: F16A886B0C04454901AC6D0923297C0E)
    • schtasks.exe (PID: 5080 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 2600 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.260632599.00000000028A1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf3595:$x1: NanoCore.ClientPluginHost
      • 0x125db5:$x1: NanoCore.ClientPluginHost
      • 0xf35d2:$x2: IClientNetworkHost
      • 0x125df2:$x2: IClientNetworkHost
      • 0xf7105:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x129925:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xf32fd:$a: NanoCore
        • 0xf330d:$a: NanoCore
        • 0xf3541:$a: NanoCore
        • 0xf3555:$a: NanoCore
        • 0xf3595:$a: NanoCore
        • 0x125b1d:$a: NanoCore
        • 0x125b2d:$a: NanoCore
        • 0x125d61:$a: NanoCore
        • 0x125d75:$a: NanoCore
        • 0x125db5:$a: NanoCore
        • 0xf335c:$b: ClientPlugin
        • 0xf355e:$b: ClientPlugin
        • 0xf359e:$b: ClientPlugin
        • 0x125b7c:$b: ClientPlugin
        • 0x125d7e:$b: ClientPlugin
        • 0x125dbe:$b: ClientPlugin
        • 0xf3483:$c: ProjectData
        • 0x125ca3:$c: ProjectData
        • 0x202a9e:$c: ProjectData
        • 0x27d2be:$c: ProjectData
        • 0xf3e8a:$d: DESCrypto
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Proof of payment.jpg.exe.3984408.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.Proof of payment.jpg.exe.3984408.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.Proof of payment.jpg.exe.3984408.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.Proof of payment.jpg.exe.3984408.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          0.2.Proof of payment.jpg.exe.28a9640.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 3 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary:

            barindex
            Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
            Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Proof of payment.jpg.exe' , ParentImage: C:\Users\user\Desktop\Proof of payment.jpg.exe, ParentProcessId: 2940, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Proof of payment.jpg.exe' , ParentImage: C:\Users\user\Desktop\Proof of payment.jpg.exe, ParentProcessId: 2940, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: harold.2waky.comVirustotal: Detection: 14%Perma Link
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
            Source: Proof of payment.jpg.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Proof of payment.jpg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: harold.accesscam.org
            Source: Malware configuration extractorURLs: harold.2waky.com
            Source: Joe Sandbox ViewASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
            Source: Joe Sandbox ViewIP Address: 185.19.85.137 185.19.85.137
            Source: global trafficTCP traffic: 192.168.2.5:49749 -> 185.19.85.137:6051
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Proof of payment.jpg.exe, 00000000.00000002.264668051.0000000006A00000.00000004.00020000.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Proof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Proof of payment.jpg.exe, 00000000.00000003.248777304.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
            Source: Proof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFK
            Source: Proof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.commN
            Source: Proof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Proof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: Proof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-tR
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Proof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnX
            Source: Proof of payment.jpg.exe, 00000000.00000003.243112899.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0eb
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ana
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
            Source: Proof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com-d
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr2011
            Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krlearn
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000003.241616923.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
            Source: Proof of payment.jpg.exe, 00000000.00000003.241594978.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comj
            Source: Proof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.commN
            Source: Proof of payment.jpg.exe, 00000000.00000003.242010011.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comymP
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: unknownDNS traffic detected: queries for: harold.accesscam.org
            Source: Proof of payment.jpg.exe, 00000000.00000002.259975282.0000000000828000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_001443510_2_00144351
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_001466F90_2_001466F9
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_0252897A0_2_0252897A
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_025201100_2_02520110
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02522E750_2_02522E75
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02522E780_2_02522E78
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_025230C00_2_025230C0
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_025201020_2_02520102
            Source: Proof of payment.jpg.exe, 00000000.00000002.259975282.0000000000828000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exe, 00000000.00000002.265029079.0000000006BA0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exe, 00000000.00000002.259658160.00000000001EA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIdenti.exe4 vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exeBinary or memory string: OriginalFilenameIdenti.exe4 vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: eoPqnTxJGg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Proof of payment.jpg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: eoPqnTxJGg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile read: C:\Users\user\Desktop\Proof of payment.jpg.exeJump to behavior
            Source: Proof of payment.jpg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Proof of payment.jpg.exe 'C:\Users\user\Desktop\Proof of payment.jpg.exe'
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile created: C:\Users\user\AppData\Roaming\eoPqnTxJGg.exeJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB6E9.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@25/2
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ed2d5ce0-ca4d-4264-be01-91a018d59d09}
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Proof of payment.jpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Proof of payment.jpg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Proof of payment.jpg.exe, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: eoPqnTxJGg.exe.0.dr, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Proof of payment.jpg.exe.140000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Proof of payment.jpg.exe.140000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_022529E3 push cs; ret 0_2_022529E6
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02252477 push esi; ret 0_2_022524DE
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02252C95 push es; ret 0_2_02252C96
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02267C5B push ecx; ret 0_2_02267C69
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85777209159
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85777209159
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile created: C:\Users\user\AppData\Roaming\eoPqnTxJGg.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
            Uses an obfuscated file name to hide its real file extension (double extension)Show sources
            Source: Possible double extension: jpg.exeStatic PE information: Proof of payment.jpg.exe
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.28a9640.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.260632599.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Proof of payment.jpg.exe PID: 2940, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exe TID: 4036Thread sleep time: -39648s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exe TID: 5040Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exe