Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Proof of payment.jpg.scr

Overview

General Information

Sample Name:Proof of payment.jpg.scr (renamed file extension from scr to exe)
Analysis ID:501103
MD5:f16a886b0c04454901ac6d0923297c0e
SHA1:47ed9cbe0c0430444ffd842a231c06a258fe6a5d
SHA256:9f4c690fdf0c329b419eb7cbf02c874dd7be5ec7bb3585a0c94a0aba266604d4
Tags:exenanocore
Infos:

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Proof of payment.jpg.exe (PID: 2940 cmdline: 'C:\Users\user\Desktop\Proof of payment.jpg.exe' MD5: F16A886B0C04454901AC6D0923297C0E)
    • schtasks.exe (PID: 5080 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 2600 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.260632599.00000000028A1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf3595:$x1: NanoCore.ClientPluginHost
      • 0x125db5:$x1: NanoCore.ClientPluginHost
      • 0xf35d2:$x2: IClientNetworkHost
      • 0x125df2:$x2: IClientNetworkHost
      • 0xf7105:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x129925:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xf32fd:$a: NanoCore
        • 0xf330d:$a: NanoCore
        • 0xf3541:$a: NanoCore
        • 0xf3555:$a: NanoCore
        • 0xf3595:$a: NanoCore
        • 0x125b1d:$a: NanoCore
        • 0x125b2d:$a: NanoCore
        • 0x125d61:$a: NanoCore
        • 0x125d75:$a: NanoCore
        • 0x125db5:$a: NanoCore
        • 0xf335c:$b: ClientPlugin
        • 0xf355e:$b: ClientPlugin
        • 0xf359e:$b: ClientPlugin
        • 0x125b7c:$b: ClientPlugin
        • 0x125d7e:$b: ClientPlugin
        • 0x125dbe:$b: ClientPlugin
        • 0xf3483:$c: ProjectData
        • 0x125ca3:$c: ProjectData
        • 0x202a9e:$c: ProjectData
        • 0x27d2be:$c: ProjectData
        • 0xf3e8a:$d: DESCrypto
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Proof of payment.jpg.exe.3984408.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.Proof of payment.jpg.exe.3984408.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.Proof of payment.jpg.exe.3984408.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.Proof of payment.jpg.exe.3984408.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          0.2.Proof of payment.jpg.exe.28a9640.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 3 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary:

            barindex
            Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
            Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Proof of payment.jpg.exe' , ParentImage: C:\Users\user\Desktop\Proof of payment.jpg.exe, ParentProcessId: 2940, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Proof of payment.jpg.exe' , ParentImage: C:\Users\user\Desktop\Proof of payment.jpg.exe, ParentProcessId: 2940, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: harold.2waky.comVirustotal: Detection: 14%Perma Link
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
            Source: Proof of payment.jpg.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Proof of payment.jpg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: harold.accesscam.org
            Source: Malware configuration extractorURLs: harold.2waky.com
            Source: Joe Sandbox ViewASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
            Source: Joe Sandbox ViewIP Address: 185.19.85.137 185.19.85.137
            Source: global trafficTCP traffic: 192.168.2.5:49749 -> 185.19.85.137:6051
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Proof of payment.jpg.exe, 00000000.00000002.264668051.0000000006A00000.00000004.00020000.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Proof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Proof of payment.jpg.exe, 00000000.00000003.248777304.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
            Source: Proof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFK
            Source: Proof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.commN
            Source: Proof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Proof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: Proof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-tR
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Proof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnX
            Source: Proof of payment.jpg.exe, 00000000.00000003.243112899.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0eb
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ana
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
            Source: Proof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com-d
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr2011
            Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krlearn
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000003.241616923.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
            Source: Proof of payment.jpg.exe, 00000000.00000003.241594978.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comj
            Source: Proof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.commN
            Source: Proof of payment.jpg.exe, 00000000.00000003.242010011.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comymP
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: unknownDNS traffic detected: queries for: harold.accesscam.org
            Source: Proof of payment.jpg.exe, 00000000.00000002.259975282.0000000000828000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_00144351
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_001466F9
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_0252897A
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02520110
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02522E75
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02522E78
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_025230C0
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02520102
            Source: Proof of payment.jpg.exe, 00000000.00000002.259975282.0000000000828000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exe, 00000000.00000002.265029079.0000000006BA0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exe, 00000000.00000002.259658160.00000000001EA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIdenti.exe4 vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exeBinary or memory string: OriginalFilenameIdenti.exe4 vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: eoPqnTxJGg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Proof of payment.jpg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: eoPqnTxJGg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile read: C:\Users\user\Desktop\Proof of payment.jpg.exeJump to behavior
            Source: Proof of payment.jpg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\Proof of payment.jpg.exe 'C:\Users\user\Desktop\Proof of payment.jpg.exe'
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile created: C:\Users\user\AppData\Roaming\eoPqnTxJGg.exeJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB6E9.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@25/2
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ed2d5ce0-ca4d-4264-be01-91a018d59d09}
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Proof of payment.jpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Proof of payment.jpg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Proof of payment.jpg.exe, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: eoPqnTxJGg.exe.0.dr, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Proof of payment.jpg.exe.140000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Proof of payment.jpg.exe.140000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_022529E3 push cs; ret
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02252477 push esi; ret
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02252C95 push es; ret
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02267C5B push ecx; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85777209159
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85777209159
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile created: C:\Users\user\AppData\Roaming\eoPqnTxJGg.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete
            Uses an obfuscated file name to hide its real file extension (double extension)Show sources
            Source: Possible double extension: jpg.exeStatic PE information: Proof of payment.jpg.exe
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.28a9640.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.260632599.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Proof of payment.jpg.exe PID: 2940, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exe TID: 4036Thread sleep time: -39648s >= -30000s
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exe TID: 5040Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 716
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 638
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeThread delayed: delay time: 39648
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: FFF008
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            Source: RegSvcs.exe, 00000006.00000003.366721485.000000000659E000.00000004.00000001.sdmpBinary or memory string: Program Manager
            Source: RegSvcs.exe, 00000006.00000003.399886156.0000000006596000.00000004.00000001.sdmpBinary or memory string: Program ManagerbR
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection312Masquerading11Input Capture1Security Software Discovery111Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information12Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            harold.2waky.com15%VirustotalBrowse
            harold.accesscam.org5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.comB.TTFK0%Avira URL Cloudsafe
            http://www.tiro.comymP0%Avira URL Cloudsafe
            http://www.fonts.commN0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.sandoll.co.kr20110%Avira URL Cloudsafe
            http://www.founder.com.cn/cnX0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.founder.com.cn/cn/-tR0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/E0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.sajatypeworks.com-d0%Avira URL Cloudsafe
            http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.tiro.commN0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/v0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0eb0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/ana0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.tiro.comj0%Avira URL Cloudsafe
            harold.accesscam.org0%Avira URL Cloudsafe
            harold.2waky.com0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sandoll.co.krlearn0%Avira URL Cloudsafe
            http://www.tiro.comc0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.founder.com.cn/cne0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            harold.2waky.com
            		185.19.85.137
            		truetrueunknown
            harold.accesscam.org
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            harold.accesscam.orgtrue
            • Avira URL Cloud: safe
            		unknown
            harold.2waky.comtrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.comProof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comB.TTFKProof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comymPProof of payment.jpg.exe, 00000000.00000003.242010011.0000000004D1B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fonts.commNProof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers/?Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.kr2011Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers?Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cnXProof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000003.241616923.0000000004D1B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/-tRProof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/EProof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                        		high
                        http://www.goodfont.co.krProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.com-dProof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.collada.org/2005/11/COLLADASchema9DoneProof of payment.jpg.exe, 00000000.00000002.264668051.0000000006A00000.00000004.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.tiro.commNProof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comProof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/Proof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnProof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/vProof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Y0ebProof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/anaProof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                              		high
                              http://www.tiro.comjProof of payment.jpg.exe, 00000000.00000003.241594978.0000000004D1B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fonts.comProof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krProof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krlearnProof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comcProof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.comProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designerstProof of payment.jpg.exe, 00000000.00000003.248777304.0000000004D09000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cneProof of payment.jpg.exe, 00000000.00000003.243112899.0000000004D04000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.19.85.137
                                  		harold.2waky.comSwitzerland
                                  		48971DATAWIRE-ASCHtrue

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:501103
                                  Start date:12.10.2021
                                  Start time:15:08:19
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 7m 49s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:Proof of payment.jpg.scr (renamed file extension from scr to exe)
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:26
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@6/8@25/2
                                  EGA Information:Failed
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  Warnings:
                                  Show All
                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • TCP Packets have been reduced to 100
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 23.203.141.148, 95.100.216.89, 20.82.210.154, 40.112.88.60, 20.82.209.104, 2.20.178.24, 2.20.178.33
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  15:09:23API Interceptor1x Sleep call for process: Proof of payment.jpg.exe modified
                                  15:09:27API Interceptor933x Sleep call for process: RegSvcs.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  185.19.85.137Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                    Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                      PROFORMA INVOICE 20210823.pdf.exeGet hashmaliciousBrowse
                                        New Proforma Invoice20210630.xlxs.exeGet hashmaliciousBrowse
                                          Proforma Invoice20210625.pdf.exeGet hashmaliciousBrowse
                                            PcdEZG6zDS.exeGet hashmaliciousBrowse
                                              sfTZCyMKuC.exeGet hashmaliciousBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                harold.2waky.comProof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                HxXHmM0T9f.exeGet hashmaliciousBrowse
                                                • 23.146.242.147
                                                Request For Quotation.jarGet hashmaliciousBrowse
                                                • 23.146.242.147
                                                QUOTE.exeGet hashmaliciousBrowse
                                                • 194.5.98.5
                                                Payment proof.jpg.exeGet hashmaliciousBrowse
                                                • 194.5.98.5
                                                Proof Of Payment.jpg.exeGet hashmaliciousBrowse
                                                • 194.5.98.5
                                                Proof of payment.pdf.exeGet hashmaliciousBrowse
                                                • 194.5.98.5
                                                Payment.pdf.exeGet hashmaliciousBrowse
                                                • 91.193.75.29
                                                Payment Confirmation.exeGet hashmaliciousBrowse
                                                • 185.165.153.213

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                DATAWIRE-ASCHMT103 10.11.pdf.exeGet hashmaliciousBrowse
                                                • 185.19.85.136
                                                dAkJsQr7A9.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                GIV PO 00254.xls.exeGet hashmaliciousBrowse
                                                • 185.19.85.136
                                                dUzAkYsvl8.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                BL & INVOICE.exeGet hashmaliciousBrowse
                                                • 185.19.85.171
                                                Routing Details.vbsGet hashmaliciousBrowse
                                                • 185.19.85.170
                                                Nueva orden #7624.xls.exeGet hashmaliciousBrowse
                                                • 185.19.85.136
                                                voo7b2BBq6.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                xmsGPH324z.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                dVWsghK4Aj.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                ShippingDocs.exeGet hashmaliciousBrowse
                                                • 185.19.85.171
                                                2E9xpfvD2O.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                uF74GlbXPc.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                jFjTeUfek3.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Q7DYDgQhKp.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                USD31000.exeGet hashmaliciousBrowse
                                                • 185.19.85.171
                                                32000USD_Swift.exeGet hashmaliciousBrowse
                                                • 185.19.85.171
                                                dlDGpRFSEo.exeGet hashmaliciousBrowse
                                                • 185.19.85.175

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Proof of payment.jpg.exe.log
                                                Process:C:\Users\user\Desktop\Proof of payment.jpg.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):525
                                                Entropy (8bit):5.2874233355119316
                                                Encrypted:false
                                                SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp
                                                Process:C:\Users\user\Desktop\Proof of payment.jpg.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1647
                                                Entropy (8bit):5.171887955431004
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBetn:cbhC7ZlNQF/rydbz9I3YODOLNdq3C
                                                MD5:1358393D4D1CFCCE7BD6823A860F20B2
                                                SHA1:E513A17C19EB5C677435DC73C2533D2A7C52B59F
                                                SHA-256:66F6CF12179F5F9B8305C4A927D4084B553D9E90166D0D1B1056925D34A9B982
                                                SHA-512:DA7612128A91DA3B7EA8FB4571F99ACF2BC3BEC2ACD99A2EB73EC563DE9BD2349B8C7CF4A93A8389A6778D0C1537D8ECED2FF8DD6580AA8D506ADDDB69B7AE04
                                                Malicious:true
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1392
                                                Entropy (8bit):7.089541637477408
                                                Encrypted:false
                                                SSDEEP:24:IQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4l:IknjhUknjhUknjhUknjhUknjhUknjhL
                                                MD5:5E3C10DCF7AAB1A5E4671C3AD52D9BD2
                                                SHA1:7DE7F5ACAED711BC35E62756D1440E80262D85D1
                                                SHA-256:B9EB9E732F6204735FFB2C9A6EC8F077E4B4F31E57E336199D22278EAD8412F9
                                                SHA-512:00252F19A1D0098FEBC78231182FAD57A66390077C0C462C94950D7CA02D53A7B7D692B4D7E718DF2708C1F7919CCB29837A2309E3BEFD2D585FF0C049E5FEB3
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8
                                                Entropy (8bit):3.0
                                                Encrypted:false
                                                SSDEEP:3:98:y
                                                MD5:108FC92C1878B6BB04738FB9430AD1A0
                                                SHA1:030EF679702BA4AC7629B9D6D3980231F35CE18C
                                                SHA-256:FB9CF8B94C82519C911F1EE89763BF9EDFE05EAC3FDBF7A09229E6BE9AD2DCE2
                                                SHA-512:1C39811250792C91A1418A424081A627D5032F33F90B3B37EC24824E4BD040EC36C197C628C13B700F6435164339DE77CFB8497476A9E16B4760AF9ECC85A823
                                                Malicious:true
                                                Reputation:low
                                                Preview: ......H
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):40
                                                Entropy (8bit):5.153055907333276
                                                Encrypted:false
                                                SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                MD5:4E5E92E2369688041CC82EF9650EDED2
                                                SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                Malicious:false
                                                Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):426832
                                                Entropy (8bit):7.999527918131335
                                                Encrypted:true
                                                SSDEEP:6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
                                                MD5:653DDDCB6C89F6EC51F3DDC0053C5914
                                                SHA1:4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
                                                SHA-256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
                                                SHA-512:27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
                                                Malicious:false
                                                Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
                                                C:\Users\user\AppData\Roaming\eoPqnTxJGg.exe
                                                Process:C:\Users\user\Desktop\Proof of payment.jpg.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):686080
                                                Entropy (8bit):7.645401121666266
                                                Encrypted:false
                                                SSDEEP:12288:6MbSB2Fio+a+k09R8Yrt2JX6RaaALVlQ9UfHRkkPG0r5PSsPa23rEG0r5FbnVe:6JBcio+a+ki3VRaaALPhfHRtPG0rpSsQ
                                                MD5:F16A886B0C04454901AC6D0923297C0E
                                                SHA1:47ED9CBE0C0430444FFD842A231C06A258FE6A5D
                                                SHA-256:9F4C690FDF0C329B419EB7CBF02C874DD7BE5EC7BB3585A0C94A0ABA266604D4
                                                SHA-512:E60A04F86083603CAC82F970552C0031FD52A9CBC7293BA873427D45FBEDFEB13284126BF28EB01692B9C4DA81B26D9146DB7C9F6630A2455E9F32D15183CAEB
                                                Malicious:false
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....iea..............0.................. ... ....@.. ....................................@.....................................O.... .. ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... .... ......................@..@.reloc...............v..............@..B........................H........_...P......}.......U...........................................0..4..........K......r...p...r...p.......,.......+.........+..*.0..F..........+6...........................o.........,.r!..ps....z..X....i....-.*...0..d..........+N..+8.....(.......(...............o.........,.r!..ps....z..X....o........-...X....o..........-.*.0.............+j..+R..+:......(........(...............o.........,.r!..ps....z..X....o..........-...X....o..........-...X....o..........-.*".(.....
                                                C:\Users\user\AppData\Roaming\eoPqnTxJGg.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\Proof of payment.jpg.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:false
                                                Preview: [ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.645401121666266
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:Proof of payment.jpg.exe
                                                File size:686080
                                                MD5:f16a886b0c04454901ac6d0923297c0e
                                                SHA1:47ed9cbe0c0430444ffd842a231c06a258fe6a5d
                                                SHA256:9f4c690fdf0c329b419eb7cbf02c874dd7be5ec7bb3585a0c94a0aba266604d4
                                                SHA512:e60a04f86083603cac82f970552c0031fd52a9cbc7293ba873427d45fbedfeb13284126bf28eb01692b9c4da81b26d9146db7c9f6630a2455e9f32d15183caeb
                                                SSDEEP:12288:6MbSB2Fio+a+k09R8Yrt2JX6RaaALVlQ9UfHRkkPG0r5PSsPa23rEG0r5FbnVe:6JBcio+a+ki3VRaaALPhfHRtPG0rpSsQ
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....iea..............0.................. ... ....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:0089c5cd91810189

                                                Static PE Info

                                                General

                                                Entrypoint:0x49052e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x616569F4 [Tue Oct 12 10:56:52 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v2.0.50727
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                fcom dword ptr [edx+00h]
                                                add bl, ah
                                                movsd
                                                add byte ptr [eax], al
                                                pop esp
                                                stc
                                                add byte ptr [eax], al
                                                pop ecx
                                                dec ebp
                                                add dword ptr [eax], eax
                                                push es
                                                mov byte ptr [F7630001h], al
                                                add dword ptr [eax], eax
                                                mov dword ptr [ebp+02h], ecx
                                                add byte ptr [ebp-5Ch], bl
                                                add al, byte ptr [eax]

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x904dc0x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x18a20.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x8e61c0x8e800False0.924275287829data7.85777209159IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x920000x18a200x18c00False0.377426609848data5.45184475744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xac0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x921a80x468GLS_BINARY_LSB_FIRST
                                                RT_ICON0x926100x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                RT_ICON0x968380x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                RT_ICON0x978e00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                RT_ICON0x99e880x10828data
                                                RT_GROUP_ICON0xaa6b00x4cdata
                                                RT_VERSION0xaa6fc0x324data

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2018 - 2021
                                                Assembly Version4.0.2.0
                                                InternalNameIdenti.exe
                                                FileVersion4.0.2.0
                                                CompanyName
                                                LegalTrademarks
                                                Comments
                                                ProductNameWin Mixer
                                                ProductVersion4.0.2.0
                                                FileDescriptionWin Mixer
                                                OriginalFilenameIdenti.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 12, 2021 15:09:42.797943115 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:42.920711040 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:42.922166109 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:43.290159941 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:43.418488979 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:43.418653011 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:43.599528074 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:43.599596977 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:43.713545084 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:43.713640928 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:43.873142958 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:43.873290062 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.063312054 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.063399076 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.063857079 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.063918114 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.064035892 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.064054012 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.064171076 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.064471960 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.064531088 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.177896976 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.177962065 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.178000927 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.178040028 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.178268909 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.178556919 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.178606033 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.178626060 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.178792953 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.178864002 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.179075956 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.179183960 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.179264069 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.179332018 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.179467916 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.179519892 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.293198109 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.293242931 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.293355942 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.294009924 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.294037104 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.294059992 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.294075012 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.294131041 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.294166088 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.294502974 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.294558048 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297152042 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297179937 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297210932 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297243118 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297348022 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297415018 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297553062 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297624111 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297636032 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297663927 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297725916 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297882080 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297940016 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.298048019 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.298083067 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.298135996 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.415673018 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.415796041 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.416903019 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.416977882 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.417202950 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.417313099 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.417380095 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.417463064 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.417704105 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.419178009 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419285059 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419365883 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.419431925 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419595003 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419629097 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419667006 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.419688940 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.419800997 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419960022 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420026064 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.420130968 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420237064 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420258045 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.420295954 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.420325994 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420382023 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.420391083 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420551062 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420610905 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.421951056 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.422116995 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.422167063 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.422184944 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.422246933 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.422281027 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.422337055 CEST497496051192.168.2.5185.19.85.137

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 12, 2021 15:09:28.581779003 CEST6206053192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:28.717128992 CEST53620608.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:28.994478941 CEST6180553192.168.2.58.8.4.4
                                                Oct 12, 2021 15:09:29.173227072 CEST53618058.8.4.4192.168.2.5
                                                Oct 12, 2021 15:09:29.297355890 CEST5479553192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:29.320130110 CEST53547958.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:34.137134075 CEST4955753192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:34.156547070 CEST53495578.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:34.171382904 CEST6173353192.168.2.58.8.4.4
                                                Oct 12, 2021 15:09:34.189163923 CEST53617338.8.4.4192.168.2.5
                                                Oct 12, 2021 15:09:34.248856068 CEST6544753192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:34.423072100 CEST53654478.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:38.479859114 CEST5244153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:38.496443987 CEST53524418.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:38.502695084 CEST6217653192.168.2.58.8.4.4
                                                Oct 12, 2021 15:09:38.521024942 CEST53621768.8.4.4192.168.2.5
                                                Oct 12, 2021 15:09:38.531282902 CEST5959653192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:38.549801111 CEST53595968.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:42.769747019 CEST6529653192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:42.789721012 CEST53652968.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:49.097486973 CEST6015153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:49.134582043 CEST53601518.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:56.914613962 CEST5696953192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:56.933176994 CEST53569698.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:03.356395960 CEST5516153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:03.377588987 CEST53551618.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:09.863465071 CEST4999253192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:09.883897066 CEST53499928.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:16.205543041 CEST6007553192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:16.224287033 CEST53600758.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:22.732084036 CEST6434553192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:22.750188112 CEST53643458.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:29.331429958 CEST5479153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:29.350970030 CEST53547918.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:36.415932894 CEST5046353192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:36.436556101 CEST53504638.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:42.501702070 CEST5039453192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:42.520405054 CEST53503948.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:48.522980928 CEST5853053192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:48.544002056 CEST53585308.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:54.661490917 CEST5381353192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:54.678647995 CEST53538138.8.8.8192.168.2.5
                                                Oct 12, 2021 15:11:00.709645033 CEST5734453192.168.2.58.8.8.8
                                                Oct 12, 2021 15:11:00.730202913 CEST53573448.8.8.8192.168.2.5
                                                Oct 12, 2021 15:11:06.779176950 CEST5926153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:11:06.799339056 CEST53592618.8.8.8192.168.2.5
                                                Oct 12, 2021 15:11:14.627098083 CEST5715153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:11:14.647671938 CEST53571518.8.8.8192.168.2.5
                                                Oct 12, 2021 15:11:20.681814909 CEST5941353192.168.2.58.8.8.8
                                                Oct 12, 2021 15:11:20.989131927 CEST53594138.8.8.8192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Oct 12, 2021 15:09:28.581779003 CEST192.168.2.58.8.8.80x63f8Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:28.994478941 CEST192.168.2.58.8.4.40x5a24Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:29.297355890 CEST192.168.2.58.8.8.80x1570Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.137134075 CEST192.168.2.58.8.8.80x27a7Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.171382904 CEST192.168.2.58.8.4.40xe05eStandard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.248856068 CEST192.168.2.58.8.8.80x9cfaStandard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.479859114 CEST192.168.2.58.8.8.80x5fc4Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.502695084 CEST192.168.2.58.8.4.40x3e9Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.531282902 CEST192.168.2.58.8.8.80xe842Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:42.769747019 CEST192.168.2.58.8.8.80xd004Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:49.097486973 CEST192.168.2.58.8.8.80x733eStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:56.914613962 CEST192.168.2.58.8.8.80xf51fStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:03.356395960 CEST192.168.2.58.8.8.80xb9a8Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:09.863465071 CEST192.168.2.58.8.8.80xf5aaStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:16.205543041 CEST192.168.2.58.8.8.80x71daStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:22.732084036 CEST192.168.2.58.8.8.80x2831Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:29.331429958 CEST192.168.2.58.8.8.80x85d4Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:36.415932894 CEST192.168.2.58.8.8.80xa351Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:42.501702070 CEST192.168.2.58.8.8.80x5457Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:48.522980928 CEST192.168.2.58.8.8.80xefeStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:54.661490917 CEST192.168.2.58.8.8.80xbbcbStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:00.709645033 CEST192.168.2.58.8.8.80x5fe1Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:06.779176950 CEST192.168.2.58.8.8.80xe098Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:14.627098083 CEST192.168.2.58.8.8.80x9026Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:20.681814909 CEST192.168.2.58.8.8.80xa277Standard query (0)harold.2waky.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Oct 12, 2021 15:09:28.717128992 CEST8.8.8.8192.168.2.50x63f8Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:29.173227072 CEST8.8.4.4192.168.2.50x5a24Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:29.320130110 CEST8.8.8.8192.168.2.50x1570Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.156547070 CEST8.8.8.8192.168.2.50x27a7Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.189163923 CEST8.8.4.4192.168.2.50xe05eName error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.423072100 CEST8.8.8.8192.168.2.50x9cfaName error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.496443987 CEST8.8.8.8192.168.2.50x5fc4Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.521024942 CEST8.8.4.4192.168.2.50x3e9Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.549801111 CEST8.8.8.8192.168.2.50xe842Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:42.789721012 CEST8.8.8.8192.168.2.50xd004No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:49.134582043 CEST8.8.8.8192.168.2.50x733eNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:56.933176994 CEST8.8.8.8192.168.2.50xf51fNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:03.377588987 CEST8.8.8.8192.168.2.50xb9a8No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:09.883897066 CEST8.8.8.8192.168.2.50xf5aaNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:16.224287033 CEST8.8.8.8192.168.2.50x71daNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:22.750188112 CEST8.8.8.8192.168.2.50x2831No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:29.350970030 CEST8.8.8.8192.168.2.50x85d4No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:36.436556101 CEST8.8.8.8192.168.2.50xa351No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:42.520405054 CEST8.8.8.8192.168.2.50x5457No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:48.544002056 CEST8.8.8.8192.168.2.50xefeNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:54.678647995 CEST8.8.8.8192.168.2.50xbbcbNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:00.730202913 CEST8.8.8.8192.168.2.50x5fe1No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:06.799339056 CEST8.8.8.8192.168.2.50xe098No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:14.647671938 CEST8.8.8.8192.168.2.50x9026No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:20.989131927 CEST8.8.8.8192.168.2.50xa277No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: Proof of payment.jpg.exe PID: 2940 Parent PID: 5620

                                                General

                                                Start time:15:09:16
                                                Start date:12/10/2021
                                                Path:C:\Users\user\Desktop\Proof of payment.jpg.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\Proof of payment.jpg.exe'
                                                Imagebase:0x140000
                                                File size:686080 bytes
                                                MD5 hash:F16A886B0C04454901AC6D0923297C0E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.260632599.00000000028A1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Analysis Process: schtasks.exe PID: 5080 Parent PID: 2940

                                                General

                                                Start time:15:09:24
                                                Start date:12/10/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'
                                                Imagebase:0x1c0000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: conhost.exe PID: 4924 Parent PID: 5080

                                                General

                                                Start time:15:09:25
                                                Start date:12/10/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7ecfc0000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: RegSvcs.exe PID: 2600 Parent PID: 2940

                                                General

                                                Start time:15:09:25
                                                Start date:12/10/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                Imagebase:0xd60000
                                                File size:32768 bytes
                                                MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:moderate

                                                Disassembly

                                                Code Analysis

                                                Reset < >