Play interactive tour

Edit tour

Windows Analysis Report Payment Notification.pdf.scr

Overview

General Information

Sample Name:	Payment Notification.pdf.scr (renamed file extension from scr to exe)
Analysis ID:	509323
MD5:	06e79cb697e436c1e66c49d3c39dbd82
SHA1:	025758750ef682cead7c98f6cf4156c7bb33a3b2
SHA256:	07749072a852c769fad91c350e6921b811fb04de3448516e2ccf5b81d07e22e7
Tags:	exeNanoCore
Infos:
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Payment Notification.pdf.exe (PID: 6132 cmdline: 'C:\Users\user\Desktop\Payment Notification.pdf.exe' MD5: 06E79CB697E436C1E66C49D3C39DBD82)

schtasks.exe (PID: 3740 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XDyfQvRGNV' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5A6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5412 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x29efcd:$x1: NanoCore.ClientPluginHost 0x2d17ed:$x1: NanoCore.ClientPluginHost 0x29f00a:$x2: IClientNetworkHost 0x2d182a:$x2: IClientNetworkHost 0x2a2b3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2d535d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x29ed35:$a: NanoCore 0x29ed45:$a: NanoCore 0x29ef79:$a: NanoCore 0x29ef8d:$a: NanoCore 0x29efcd:$a: NanoCore 0x2d1555:$a: NanoCore 0x2d1565:$a: NanoCore 0x2d1799:$a: NanoCore 0x2d17ad:$a: NanoCore 0x2d17ed:$a: NanoCore 0x29ed94:$b: ClientPlugin 0x29ef96:$b: ClientPlugin 0x29efd6:$b: ClientPlugin 0x2d15b4:$b: ClientPlugin 0x2d17b6:$b: ClientPlugin 0x2d17f6:$b: ClientPlugin 0x16783e:$c: ProjectData 0x1bb65e:$c: ProjectData 0x29eebb:$c: ProjectData 0x2d16db:$c: ProjectData 0x29f8c2:$d: DESCrypto
Process Memory Space: Payment Notification.pdf.exe PID: 6132	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.Payment Notification.pdf.exe.428fe40.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment Notification.pdf.exe.428fe40.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Payment Notification.pdf.exe.428fe40.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment Notification.pdf.exe.428fe40.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.Payment Notification.pdf.exe.300bffc.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfbe3d:$x1: NanoCore.ClientPluginHost 0x12e65d:$x1: NanoCore.ClientPluginHost 0xfbe7a:$x2: IClientNetworkHost 0x12e69a:$x2: IClientNetworkHost 0xff9ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1321cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfbba5:$a: NanoCore 0xfbbb5:$a: NanoCore 0xfbde9:$a: NanoCore 0xfbdfd:$a: NanoCore 0xfbe3d:$a: NanoCore 0x12e3c5:$a: NanoCore 0x12e3d5:$a: NanoCore 0x12e609:$a: NanoCore 0x12e61d:$a: NanoCore 0x12e65d:$a: NanoCore 0xfbc04:$b: ClientPlugin 0xfbe06:$b: ClientPlugin 0xfbe46:$b: ClientPlugin 0x12e424:$b: ClientPlugin 0x12e626:$b: ClientPlugin 0x12e666:$b: ClientPlugin 0x184ce:$c: ProjectData 0xfbd2b:$c: ProjectData 0x12e54b:$c: ProjectData 0xfc732:$d: DESCrypto 0x12ef52:$d: DESCrypto
0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x14fc5d:$x1: NanoCore.ClientPluginHost 0x18247d:$x1: NanoCore.ClientPluginHost 0x14fc9a:$x2: IClientNetworkHost 0x1824ba:$x2: IClientNetworkHost 0x1537cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x185fed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14f9c5:$a: NanoCore 0x14f9d5:$a: NanoCore 0x14fc09:$a: NanoCore 0x14fc1d:$a: NanoCore 0x14fc5d:$a: NanoCore 0x1821e5:$a: NanoCore 0x1821f5:$a: NanoCore 0x182429:$a: NanoCore 0x18243d:$a: NanoCore 0x18247d:$a: NanoCore 0x14fa24:$b: ClientPlugin 0x14fc26:$b: ClientPlugin 0x14fc66:$b: ClientPlugin 0x182244:$b: ClientPlugin 0x182446:$b: ClientPlugin 0x182486:$b: ClientPlugin 0x184ce:$c: ProjectData 0x6c2ee:$c: ProjectData 0x14fb4b:$c: ProjectData 0x18236b:$c: ProjectData 0x150552:$d: DESCrypto
Click to see the 10 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5412, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Payment Notification.pdf.exe' , ParentImage: C:\Users\user\Desktop\Payment Notification.pdf.exe, ParentProcessId: 6132, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5412

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Payment Notification.pdf.exe' , ParentImage: C:\Users\user\Desktop\Payment Notification.pdf.exe, ParentProcessId: 6132, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5412

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Show sources

Source: Payment Notification.pdf.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\XDyfQvRGNV.exe

ReversingLabs: Detection: 31%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.428fe40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: Payment Notification.pdf.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\XDyfQvRGNV.exe

Joe Sandbox ML: detected

Source: Payment Notification.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: Payment Notification.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Code function: 4x nop then jmp 0140BCF4h

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: harold.accesscam.org
Source: Malware configuration extractor	URLs: harold.2waky.com

Source: Joe Sandbox View

ASN Name: VDI-NETWORKUS VDI-NETWORKUS

Source: Joe Sandbox View

IP Address: 23.146.242.147 23.146.242.147

Source: global traffic

TCP traffic: 192.168.2.4:49774 -> 23.146.242.147:6051

Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment Notification.pdf.exe, 00000000.00000003.666385741.0000000005369000.00000004.00000001.sdmp, Payment Notification.pdf.exe, 00000000.00000003.666577138.0000000005366000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Payment Notification.pdf.exe, 00000000.00000003.666416654.0000000005369000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com6
Source: Payment Notification.pdf.exe, 00000000.00000003.666577138.0000000005366000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comH
Source: Payment Notification.pdf.exe, 00000000.00000003.666416654.0000000005369000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCA
Source: Payment Notification.pdf.exe, 00000000.00000003.666577138.0000000005366000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment Notification.pdf.exe, 00000000.00000003.666577138.0000000005366000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comles
Source: Payment Notification.pdf.exe, 00000000.00000003.666416654.0000000005369000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com~
Source: Payment Notification.pdf.exe, 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment Notification.pdf.exe, 00000000.00000003.669081604.000000000141B000.00000004.00000001.sdmp, Payment Notification.pdf.exe, 00000000.00000003.669206454.000000000535C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment Notification.pdf.exe, 00000000.00000003.670250615.000000000141B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersX
Source: Payment Notification.pdf.exe, 00000000.00000003.680065727.000000000535C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTFQ
Source: Payment Notification.pdf.exe, 00000000.00000003.680065727.000000000535C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comf
Source: Payment Notification.pdf.exe, 00000000.00000003.669206454.000000000535C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comnc./t
Source: Payment Notification.pdf.exe, 00000000.00000003.680065727.000000000535C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comot
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment Notification.pdf.exe, 00000000.00000003.666140298.0000000005360000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment Notification.pdf.exe, 00000000.00000003.665683660.000000000141B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnc
Source: Payment Notification.pdf.exe, 00000000.00000003.665676518.0000000005364000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cne
Source: Payment Notification.pdf.exe, 00000000.00000003.665676518.0000000005364000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cntte
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment Notification.pdf.exe, 00000000.00000003.668884985.000000000535C000.00000004.00000001.sdmp, Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/#
Source: Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/16
Source: Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/=
Source: Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: Payment Notification.pdf.exe, 00000000.00000003.666931923.0000000005355000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Kurs
Source: Payment Notification.pdf.exe, 00000000.00000003.667537482.000000000535C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Q
Source: Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0z
Source: Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Payment Notification.pdf.exe, 00000000.00000003.667537482.000000000535C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/t
Source: Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/k
Source: Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: harold.accesscam.org

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.428fe40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment Notification.pdf.exe.428fe40.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment Notification.pdf.exe.428fe40.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Payment Notification.pdf.exe
Source: initial sample	Static PE information: Filename: Payment Notification.pdf.exe

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Payment Notification.pdf.exe

Static file information: Suspicious name

Source: Payment Notification.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment Notification.pdf.exe.428fe40.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment Notification.pdf.exe.428fe40.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment Notification.pdf.exe.428fe40.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Code function: 0_2_01400138
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Code function: 0_2_01401A20
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Code function: 0_2_01401EE8
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Code function: 0_2_0140012A
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Code function: 0_2_014030DF
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Code function: 0_2_014030F0
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Code function: 0_2_01401A0F
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Code function: 0_2_01404E86
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Code function: 0_2_01402E98
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Code function: 0_2_01402EA8

Source: Payment Notification.pdf.exe, 00000000.00000000.662022741.00000000009BE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNameIn.exe< vs Payment Notification.pdf.exe
Source: Payment Notification.pdf.exe, 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTaskNode.dll4 vs Payment Notification.pdf.exe
Source: Payment Notification.pdf.exe, 00000000.00000002.685628683.00000000073B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs Payment Notification.pdf.exe
Source: Payment Notification.pdf.exe	Binary or memory string: OriginalFilenameNameIn.exe< vs Payment Notification.pdf.exe

Source: Payment Notification.pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: XDyfQvRGNV.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Payment Notification.pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XDyfQvRGNV.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Payment Notification.pdf.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

File read: C:\Users\user\Desktop\Payment Notification.pdf.exe

Jump to behavior

Source: Payment Notification.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Payment Notification.pdf.exe 'C:\Users\user\Desktop\Payment Notification.pdf.exe'
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XDyfQvRGNV' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5A6.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XDyfQvRGNV' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5A6.tmp'
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

File created: C:\Users\user\AppData\Roaming\XDyfQvRGNV.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB5A6.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/9@25/1

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: Payment Notification.pdf.scr

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ed2d5ce0-ca4d-4264-be01-91a018d59d09}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_01

Source: Payment Notification.pdf.exe	String found in binary or memory: $c2808ccb-5ae8-48e8-add6-1570f353a9d0
Source: Payment Notification.pdf.exe	String found in binary or memory: $c2808ccb-5ae8-48e8-add6-1570f353a9d0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: Payment Notification.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment Notification.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Code function: 0_2_014077F4 push eax; retf

Source: initial sample	Static PE information: section name: .text entropy: 7.95381107264
Source: initial sample	Static PE information: section name: .text entropy: 7.95381107264

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

File created: C:\Users\user\AppData\Roaming\XDyfQvRGNV.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XDyfQvRGNV' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5A6.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: Payment Notification.pdf.exe

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.300bffc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Notification.pdf.exe PID: 6132, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Payment Notification.pdf.exe, 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Payment Notification.pdf.exe, 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe TID: 5156	Thread sleep time: -40034s >= -30000s
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe TID: 4940	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 696
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 654

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Thread delayed: delay time: 40034
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: Payment Notification.pdf.exe, 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Payment Notification.pdf.exe, 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Payment Notification.pdf.exe, 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000006.00000003.684999280.0000000001104000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Payment Notification.pdf.exe, 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: D66008

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XDyfQvRGNV' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5A6.tmp'
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Source: RegSvcs.exe, 00000006.00000003.684999280.0000000001104000.00000004.00000001.sdmp

Binary or memory string: Program Manager.NET\Framework\v2.0.50727\h

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Payment Notification.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Payment Notification.pdf.exe

Code function: 0_2_011CA2F6 GetUserNameW,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.428fe40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.428fe40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.428fe40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.41a4190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Notification.pdf.exe.4150370.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection312	Masquerading11	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery211	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection312	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information13	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing2	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	File and Directory Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Information Discovery12	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payment Notification.pdf.exe	31%	ReversingLabs	ByteCode-MSIL.Trojan.APost
Payment Notification.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XDyfQvRGNV.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XDyfQvRGNV.exe	31%	ReversingLabs	ByteCode-MSIL.Trojan.APost

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cntte	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.comB.TTFQ	0%	Avira URL Cloud	safe
http://www.carterandcone.comal	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.carterandcone.com6	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0z	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.carterandcone.comTCA	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Kurs	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
harold.accesscam.org	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/#	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.comles	0%	Avira URL Cloud	safe
http://www.fontbureau.comnc./t	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comH	0%	URL Reputation	safe
http://www.founder.com.cn/cnc	0%	URL Reputation	safe
http://www.founder.com.cn/cne	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/N	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/t	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/=	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/16	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comf	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/t	0%	URL Reputation	safe
http://www.carterandcone.com~	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/k	0%	URL Reputation	safe
harold.2waky.com	0%	Avira URL Cloud	safe
http://www.fontbureau.comot	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
harold.2waky.com	23.146.242.147	true	true		unknown
harold.accesscam.org	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
harold.accesscam.org	true	Avira URL Cloud: safe	unknown
harold.2waky.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cntte	Payment Notification.pdf.exe, 00000000.00000003.665676518.0000000005364000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comB.TTFQ	Payment Notification.pdf.exe, 00000000.00000003.680065727.000000000535C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comal	Payment Notification.pdf.exe, 00000000.00000003.666577138.0000000005366000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersX	Payment Notification.pdf.exe, 00000000.00000003.670250615.000000000141B000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com6	Payment Notification.pdf.exe, 00000000.00000003.666416654.0000000005369000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	Payment Notification.pdf.exe, 00000000.00000003.666385741.0000000005369000.00000004.00000001.sdmp, Payment Notification.pdf.exe, 00000000.00000003.666577138.0000000005366000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.collada.org/2005/11/COLLADASchema9Done	Payment Notification.pdf.exe, 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0z	Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comTCA	Payment Notification.pdf.exe, 00000000.00000003.666416654.0000000005369000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Kurs	Payment Notification.pdf.exe, 00000000.00000003.666931923.0000000005355000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/(	Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/#	Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comles	Payment Notification.pdf.exe, 00000000.00000003.666577138.0000000005366000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comnc./t	Payment Notification.pdf.exe, 00000000.00000003.669206454.000000000535C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comH	Payment Notification.pdf.exe, 00000000.00000003.666577138.0000000005366000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnc	Payment Notification.pdf.exe, 00000000.00000003.665683660.000000000141B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cne	Payment Notification.pdf.exe, 00000000.00000003.665676518.0000000005364000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Q	Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/N	Payment Notification.pdf.exe, 00000000.00000003.667537482.000000000535C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/F	Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/t	Payment Notification.pdf.exe, 00000000.00000003.667537482.000000000535C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/=	Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/16	Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	Payment Notification.pdf.exe, 00000000.00000003.666140298.0000000005360000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comf	Payment Notification.pdf.exe, 00000000.00000003.680065727.000000000535C000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/t	Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com~	Payment Notification.pdf.exe, 00000000.00000003.666416654.0000000005369000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/	Payment Notification.pdf.exe, 00000000.00000003.668884985.000000000535C000.00000004.00000001.sdmp, Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/k	Payment Notification.pdf.exe, 00000000.00000003.667109208.0000000005356000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Payment Notification.pdf.exe, 00000000.00000002.683336693.0000000006622000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/	Payment Notification.pdf.exe, 00000000.00000003.669081604.000000000141B000.00000004.00000001.sdmp, Payment Notification.pdf.exe, 00000000.00000003.669206454.000000000535C000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comot	Payment Notification.pdf.exe, 00000000.00000003.680065727.000000000535C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.146.242.147	harold.2waky.com	Reserved		46664	VDI-NETWORKUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	509323
Start date:	26.10.2021
Start time:	12:06:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Payment Notification.pdf.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/9@25/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.5% (good quality ratio 0.9%) Quality average: 36.2% Quality standard deviation: 38.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.50.102.62, 173.222.108.226, 173.222.108.210, 20.54.110.249, 40.112.88.60, 52.251.79.25, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/509323/sample/Payment Notification.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
12:07:35	API Interceptor	2x Sleep call for process: Payment Notification.pdf.exe modified
12:07:39	API Interceptor	940x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
23.146.242.147	Proof of payment.jpg.exe	Get hash	malicious	Browse
	HxXHmM0T9f.exe	Get hash	malicious	Browse
	Payment Notification.exe	Get hash	malicious	Browse
	Payment Notification.scr.exe	Get hash	malicious	Browse
	Payment Notification.scr.exe	Get hash	malicious	Browse
	Request For Quotation.jar	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
harold.2waky.com	Proof of payment.jpg.exe	Get hash	malicious	Browse	23.146.242.147
	Proof of payment.jpg.exe	Get hash	malicious	Browse	185.19.85.137
	Quotation Request.pdf.exe	Get hash	malicious	Browse	185.19.85.137
	Proof of payment.jpg.exe	Get hash	malicious	Browse	185.19.85.137
	Proof of payment.jpg.scr.exe	Get hash	malicious	Browse	185.19.85.137
	Proof of payment.jpg.scr.exe	Get hash	malicious	Browse	185.19.85.137
	HxXHmM0T9f.exe	Get hash	malicious	Browse	23.146.242.147
	Request For Quotation.jar	Get hash	malicious	Browse	23.146.242.147
	QUOTE.exe	Get hash	malicious	Browse	194.5.98.5
	Payment proof.jpg.exe	Get hash	malicious	Browse	194.5.98.5
	Proof Of Payment.jpg.exe	Get hash	malicious	Browse	194.5.98.5
	Proof of payment.pdf.exe	Get hash	malicious	Browse	194.5.98.5
	Payment.pdf.exe	Get hash	malicious	Browse	91.193.75.29
	Payment Confirmation.exe	Get hash	malicious	Browse	185.165.153.213

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VDI-NETWORKUS	Proof of payment.jpg.exe	Get hash	malicious	Browse	23.146.242.147
	7WVpng6phO.exe	Get hash	malicious	Browse	156.96.151.237
	hWA2wujmoe.exe	Get hash	malicious	Browse	23.146.242.85
	1gPmnCR2PX.exe	Get hash	malicious	Browse	23.146.242.85
	bvngnTeTxp.exe	Get hash	malicious	Browse	23.146.242.85
	ABzm98MbSD.exe	Get hash	malicious	Browse	23.146.242.85
	7w2oGjbrQR.exe	Get hash	malicious	Browse	23.146.242.85
	5HpbqZ5r7t.exe	Get hash	malicious	Browse	23.146.242.85
	Cu4ltshF0q	Get hash	malicious	Browse	156.96.155.230
	RX2dMHNrPL.exe	Get hash	malicious	Browse	23.146.242.85
	tZz20galQf.exe	Get hash	malicious	Browse	23.146.242.85
	0r22uNk4EF.exe	Get hash	malicious	Browse	23.146.242.85
	WbE13U2I1M.exe	Get hash	malicious	Browse	23.146.242.85
	DW1VgsgHNU.exe	Get hash	malicious	Browse	23.146.242.85
	8TEZmAEx3U.exe	Get hash	malicious	Browse	23.146.242.85
	7HHrcwZjLI.exe	Get hash	malicious	Browse	23.146.242.85
	466XoziOLD.exe	Get hash	malicious	Browse	23.146.242.85
	hVlpEajflR.exe	Get hash	malicious	Browse	23.146.242.85
	0rUkHCgvVf.exe	Get hash	malicious	Browse	23.146.242.85
	HxXHmM0T9f.exe	Get hash	malicious	Browse	23.146.242.147

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment Notification.pdf.exe.log Download File
Process:	C:\Users\user\Desktop\Payment Notification.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpB5A6.tmp Download File
Process:	C:\Users\user\Desktop\Payment Notification.pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1643
Entropy (8bit):	5.191361547203692
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGVtn:cbhK79lNQR/rydbz9I3YODOLNdq30
MD5:	2F47475C4B4B087C7AA31D5961650D4B
SHA1:	49765D299736594A59E380F27ABCB14ADBD9E2DA
SHA-256:	DD928D2AA2EC67114437376422EE33C321FA972EF4EF6623BE067427178AE1DD
SHA-512:	D1B70CA43C987DFA63C10CA5E3BC39A7488CAE701C2D1F80580BD0F097FCAABE8434071C90C8D4F6EAD127B9C19C2DE7B38EC95429D866E9284901C8CE491A92
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:dNet:Py
MD5:	4AC1BB475FF573310BF15DC6C31BC846
SHA1:	987F6E543C60DE91F724DF5336089FDB7677BF5A
SHA-256:	07BA14A62BF8EEF8FA8B3BBDD6DD398099EFCAC9039ADDB2F104BEB381CC769A
SHA-512:	45429609143113A18120A8C62AFD9E81B9100E8B381596A94049AD9709404B2E00F71CB1A7894DA1A82EDD4226E7E07CE84B99917309A054A95837EC78C98251
Malicious:	true
Reputation:	low
Preview:	.TYqh..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYk:RzWDI3
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	426832
Entropy (8bit):	7.999527918131335
Encrypted:	true
SSDEEP:	6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
MD5:	653DDDCB6C89F6EC51F3DDC0053C5914
SHA1:	4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
SHA-256:	83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
SHA-512:	27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
Malicious:	false
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\XDyfQvRGNV.exe Download File
Process:	C:\Users\user\Desktop\Payment Notification.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	457728
Entropy (8bit):	7.631882884601436
Encrypted:	false
SSDEEP:	6144:75UiswNkTzNaIaX++UCEbOUPhM2yXJogC6HVcUGDneVy2vakl3V:FkyX+7OUPh3y5D1cVDneVyYagV
MD5:	06E79CB697E436C1E66C49D3C39DBD82
SHA1:	025758750EF682CEAD7C98F6CF4156C7BB33A3B2
SHA-256:	07749072A852C769FAD91C350E6921B811FB04DE3448516E2CCF5B81D07E22E7
SHA-512:	F2EC81462399525595B8B0210024E80DA782E09F43DAE71156E5567B590C30FC5716218441664E4E142DBD0F2EC888E78706A20466866814A8D4454423B4BE32
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.wa..............0......L........... ........@.. .......................`............@.....................................O........J...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....J.......J..................@..@.reloc.......@......................@..B........................H........?...A......}.......(J............................................{...."..}......{...."..}......{...."..}......{...."..}......{...."..}........0..8........s....%.Bo.....%.Po.....%.Do.....%.Io.....%.Wo......+...0..8........s....%.oo.....%.+o.....%.-o.....%.o.....%.=o......+..".(.........0.. ..............%.r...p.%.r/..p.%....+..&.(.........0..0.........o#....oO...3..o%....oQ.....+....,....+....+..*.0..0.........o#....o#...3..o%....o%.....+....,....+....

C:\Users\user\AppData\Roaming\XDyfQvRGNV.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Payment Notification.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.631882884601436
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Payment Notification.pdf.exe
File size:	457728
MD5:	06e79cb697e436c1e66c49d3c39dbd82
SHA1:	025758750ef682cead7c98f6cf4156c7bb33a3b2
SHA256:	07749072a852c769fad91c350e6921b811fb04de3448516e2ccf5b81d07e22e7
SHA512:	f2ec81462399525595b8b0210024e80da782e09f43dae71156e5567b590c30fc5716218441664e4e142dbd0f2ec888e78706a20466866814a8d4454423b4be32
SSDEEP:	6144:75UiswNkTzNaIaX++UCEbOUPhM2yXJogC6HVcUGDneVy2vakl3V:FkyX+7OUPh3y5D1cVDneVyYagV
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.wa..............0......L........... ........@.. .......................`............@................................

File Icon


Icon Hash:	c4d2c4dcf4c6f230

Static PE Info

General
Entrypoint:	0x45cc02
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6177B028 [Tue Oct 26 07:37:12 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5cbb0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5e000	0x14a00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x74000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5ac08	0x5ae00	False	0.962613909904	data	7.95381107264	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x5e000	0x14a00	0x14a00	False	0.168276515152	data	4.56109890567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x74000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x5e1c0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 100663296, next used block 100663296
RT_ICON	0x60768	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 218103808, next used block 218103808
RT_ICON	0x61810	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x61c78	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x724a0	0x3e	data
RT_VERSION	0x724e0	0x334	data
RT_MANIFEST	0x72814	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017 - 2021
Assembly Version	1.0.0.0
InternalName	NameIn.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Project Snake
ProductVersion	1.0.0.0
FileDescription	Project Snake
OriginalFilename	NameIn.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2021 12:07:54.360006094 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:54.463334084 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:54.463505983 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:54.517205954 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:54.637379885 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:54.638669968 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:54.783440113 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:54.783633947 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:54.887315035 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:54.889476061 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.033448935 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.036890030 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.189665079 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.189904928 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.355802059 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.355828047 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.355849981 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.355869055 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.355881929 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.355922937 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.356034040 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.459258080 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.459312916 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.459377050 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.459415913 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.459443092 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.459481001 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.459517002 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.459528923 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.459553003 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.459573984 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.459619045 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.459626913 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.459645987 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.459681034 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.459801912 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.563003063 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563052893 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563076019 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563098907 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563143015 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563165903 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563184023 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563203096 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563220978 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563244104 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563266039 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563286066 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563288927 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.563309908 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563328981 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563340902 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563352108 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.563359976 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563385010 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563400030 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.563425064 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.563473940 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.667354107 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667407990 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667448044 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667498112 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667535067 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667572021 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667608976 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667655945 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667665005 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.667699099 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667716980 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.667737961 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667743921 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.667778015 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667817116 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667831898 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.667855024 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667892933 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667931080 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.667933941 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.667959929 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.667979002 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668013096 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.668023109 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668098927 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668106079 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.668138981 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.668138981 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668179035 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668206930 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.668215990 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668253899 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668255091 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.668292046 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668319941 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.668339014 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668382883 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668386936 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.668418884 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668452024 CEST	49774	6051	192.168.2.4	23.146.242.147
Oct 26, 2021 12:07:55.668457031 CEST	6051	49774	23.146.242.147	192.168.2.4
Oct 26, 2021 12:07:55.668494940 CEST	6051	49774	23.146.242.147	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2021 12:07:41.512943029 CEST	49257	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:07:41.531513929 CEST	53	49257	8.8.8.8	192.168.2.4
Oct 26, 2021 12:07:41.693167925 CEST	62389	53	192.168.2.4	8.8.4.4
Oct 26, 2021 12:07:41.711807013 CEST	53	62389	8.8.4.4	192.168.2.4
Oct 26, 2021 12:07:41.741597891 CEST	49910	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:07:41.760184050 CEST	53	49910	8.8.8.8	192.168.2.4
Oct 26, 2021 12:07:45.845683098 CEST	55854	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:07:45.864526987 CEST	53	55854	8.8.8.8	192.168.2.4
Oct 26, 2021 12:07:45.932966948 CEST	64549	53	192.168.2.4	8.8.4.4
Oct 26, 2021 12:07:45.951548100 CEST	53	64549	8.8.4.4	192.168.2.4
Oct 26, 2021 12:07:45.958858013 CEST	63153	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:07:45.976881027 CEST	53	63153	8.8.8.8	192.168.2.4
Oct 26, 2021 12:07:50.216686964 CEST	52991	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:07:50.235449076 CEST	53	52991	8.8.8.8	192.168.2.4
Oct 26, 2021 12:07:50.239002943 CEST	53700	53	192.168.2.4	8.8.4.4
Oct 26, 2021 12:07:50.257596970 CEST	53	53700	8.8.4.4	192.168.2.4
Oct 26, 2021 12:07:50.266953945 CEST	51726	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:07:50.285274029 CEST	53	51726	8.8.8.8	192.168.2.4
Oct 26, 2021 12:07:54.330153942 CEST	56794	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:07:54.351468086 CEST	53	56794	8.8.8.8	192.168.2.4
Oct 26, 2021 12:08:00.544697046 CEST	56627	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:08:00.565524101 CEST	53	56627	8.8.8.8	192.168.2.4
Oct 26, 2021 12:08:08.555134058 CEST	56621	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:08:08.573555946 CEST	53	56621	8.8.8.8	192.168.2.4
Oct 26, 2021 12:08:14.900113106 CEST	63116	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:08:14.916676998 CEST	53	63116	8.8.8.8	192.168.2.4
Oct 26, 2021 12:08:21.499331951 CEST	64801	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:08:21.515520096 CEST	53	64801	8.8.8.8	192.168.2.4
Oct 26, 2021 12:08:29.199875116 CEST	51255	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:08:29.218661070 CEST	53	51255	8.8.8.8	192.168.2.4
Oct 26, 2021 12:08:36.523969889 CEST	60579	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:08:36.540235043 CEST	53	60579	8.8.8.8	192.168.2.4
Oct 26, 2021 12:08:43.741024971 CEST	61531	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:08:43.761434078 CEST	53	61531	8.8.8.8	192.168.2.4
Oct 26, 2021 12:08:49.903099060 CEST	49228	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:08:49.921401024 CEST	53	49228	8.8.8.8	192.168.2.4
Oct 26, 2021 12:08:55.849997044 CEST	59794	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:08:55.868859053 CEST	53	59794	8.8.8.8	192.168.2.4
Oct 26, 2021 12:09:02.073508024 CEST	55916	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:09:02.092452049 CEST	53	55916	8.8.8.8	192.168.2.4
Oct 26, 2021 12:09:08.520137072 CEST	52752	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:09:08.541229010 CEST	53	52752	8.8.8.8	192.168.2.4
Oct 26, 2021 12:09:14.489131927 CEST	60542	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:09:14.509752989 CEST	53	60542	8.8.8.8	192.168.2.4
Oct 26, 2021 12:09:20.514698029 CEST	64206	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:09:20.533269882 CEST	53	64206	8.8.8.8	192.168.2.4
Oct 26, 2021 12:09:26.475930929 CEST	50904	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:09:26.494824886 CEST	53	50904	8.8.8.8	192.168.2.4
Oct 26, 2021 12:09:32.497100115 CEST	57525	53	192.168.2.4	8.8.8.8
Oct 26, 2021 12:09:32.521940947 CEST	53	57525	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 26, 2021 12:07:41.512943029 CEST	192.168.2.4	8.8.8.8	0x3b6a	Standard query (0)	harold.accesscam.org	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:41.693167925 CEST	192.168.2.4	8.8.4.4	0x714a	Standard query (0)	harold.accesscam.org	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:41.741597891 CEST	192.168.2.4	8.8.8.8	0x965e	Standard query (0)	harold.accesscam.org	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:45.845683098 CEST	192.168.2.4	8.8.8.8	0x659f	Standard query (0)	harold.accesscam.org	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:45.932966948 CEST	192.168.2.4	8.8.4.4	0x2815	Standard query (0)	harold.accesscam.org	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:45.958858013 CEST	192.168.2.4	8.8.8.8	0xf936	Standard query (0)	harold.accesscam.org	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:50.216686964 CEST	192.168.2.4	8.8.8.8	0x2905	Standard query (0)	harold.accesscam.org	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:50.239002943 CEST	192.168.2.4	8.8.4.4	0x50cc	Standard query (0)	harold.accesscam.org	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:50.266953945 CEST	192.168.2.4	8.8.8.8	0xb3ec	Standard query (0)	harold.accesscam.org	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:54.330153942 CEST	192.168.2.4	8.8.8.8	0xab78	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:00.544697046 CEST	192.168.2.4	8.8.8.8	0x2f90	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:08.555134058 CEST	192.168.2.4	8.8.8.8	0x70bf	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:14.900113106 CEST	192.168.2.4	8.8.8.8	0x4e1a	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:21.499331951 CEST	192.168.2.4	8.8.8.8	0x2154	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:29.199875116 CEST	192.168.2.4	8.8.8.8	0x59b0	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:36.523969889 CEST	192.168.2.4	8.8.8.8	0x696	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:43.741024971 CEST	192.168.2.4	8.8.8.8	0x971f	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:49.903099060 CEST	192.168.2.4	8.8.8.8	0x3abc	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:55.849997044 CEST	192.168.2.4	8.8.8.8	0x31e	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:02.073508024 CEST	192.168.2.4	8.8.8.8	0xc552	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:08.520137072 CEST	192.168.2.4	8.8.8.8	0x383d	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:14.489131927 CEST	192.168.2.4	8.8.8.8	0x711	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:20.514698029 CEST	192.168.2.4	8.8.8.8	0x11a0	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:26.475930929 CEST	192.168.2.4	8.8.8.8	0xe1df	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:32.497100115 CEST	192.168.2.4	8.8.8.8	0x6e77	Standard query (0)	harold.2waky.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 26, 2021 12:07:41.531513929 CEST	8.8.8.8	192.168.2.4	0x3b6a	Name error (3)	harold.accesscam.org	none	none	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:41.711807013 CEST	8.8.4.4	192.168.2.4	0x714a	Name error (3)	harold.accesscam.org	none	none	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:41.760184050 CEST	8.8.8.8	192.168.2.4	0x965e	Name error (3)	harold.accesscam.org	none	none	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:45.864526987 CEST	8.8.8.8	192.168.2.4	0x659f	Name error (3)	harold.accesscam.org	none	none	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:45.951548100 CEST	8.8.4.4	192.168.2.4	0x2815	Name error (3)	harold.accesscam.org	none	none	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:45.976881027 CEST	8.8.8.8	192.168.2.4	0xf936	Name error (3)	harold.accesscam.org	none	none	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:50.235449076 CEST	8.8.8.8	192.168.2.4	0x2905	Name error (3)	harold.accesscam.org	none	none	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:50.257596970 CEST	8.8.4.4	192.168.2.4	0x50cc	Name error (3)	harold.accesscam.org	none	none	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:50.285274029 CEST	8.8.8.8	192.168.2.4	0xb3ec	Name error (3)	harold.accesscam.org	none	none	A (IP address)	IN (0x0001)
Oct 26, 2021 12:07:54.351468086 CEST	8.8.8.8	192.168.2.4	0xab78	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:00.565524101 CEST	8.8.8.8	192.168.2.4	0x2f90	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:08.573555946 CEST	8.8.8.8	192.168.2.4	0x70bf	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:14.916676998 CEST	8.8.8.8	192.168.2.4	0x4e1a	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:21.515520096 CEST	8.8.8.8	192.168.2.4	0x2154	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:29.218661070 CEST	8.8.8.8	192.168.2.4	0x59b0	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:36.540235043 CEST	8.8.8.8	192.168.2.4	0x696	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:43.761434078 CEST	8.8.8.8	192.168.2.4	0x971f	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:49.921401024 CEST	8.8.8.8	192.168.2.4	0x3abc	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:08:55.868859053 CEST	8.8.8.8	192.168.2.4	0x31e	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:02.092452049 CEST	8.8.8.8	192.168.2.4	0xc552	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:08.541229010 CEST	8.8.8.8	192.168.2.4	0x383d	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:14.509752989 CEST	8.8.8.8	192.168.2.4	0x711	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:20.533269882 CEST	8.8.8.8	192.168.2.4	0x11a0	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:26.494824886 CEST	8.8.8.8	192.168.2.4	0xe1df	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)
Oct 26, 2021 12:09:32.521940947 CEST	8.8.8.8	192.168.2.4	0x6e77	No error (0)	harold.2waky.com		23.146.242.147	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Payment Notification.pdf.exe PID: 6132 Parent PID: 6520

General

Start time:	12:07:30
Start date:	26/10/2021
Path:	C:\Users\user\Desktop\Payment Notification.pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Payment Notification.pdf.exe'
Imagebase:	0x960000
File size:	457728 bytes
MD5 hash:	06E79CB697E436C1E66C49D3C39DBD82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.681190398.0000000003001000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.681509296.0000000004001000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 3740 Parent PID: 6132

General

Start time:	12:07:37
Start date:	26/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XDyfQvRGNV' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5A6.tmp'
Imagebase:	0x1390000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4720 Parent PID: 3740

General

Start time:	12:07:38
Start date:	26/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegSvcs.exe PID: 5412 Parent PID: 6132

General

Start time:	12:07:38
Start date:	26/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0xa10000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Payment Notification.pdf.scr

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre