Windows Analysis Report Payment confirmation .exe

Overview

General Information

Sample Name:	Payment confirmation .exe
Analysis ID:	551433
MD5:	aa035026516778019f8b8bd0e224fc03
SHA1:	efae7e259b4581830c7e6bfeb94ed6dd25a54229
SHA256:	39c5635ea42d63fe84500b9760fbe56e0fd3243007700749609bca1cd8d9e5d4
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Antivirus detection for URL or domain

Yara detected Nanocore RAT

Initial sample is a PE file and has a suspicious name

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Sigma detected: Suspicius Add Task From User AppData Temp

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Powershell Defender Exclusion

.NET source code contains method to dynamically call methods (often used by packers)

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2616a878-9933-42e4-9fe0-3b57e29b", "Domain1": "naki.airdns.org", "Domain2": "37.120.210.211", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "faff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Antivirus detection for URL or domain

Source: 37.120.210.211

Avira URL Cloud: Label: malware

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR

Machine Learning detection for sample

Source: Payment confirmation .exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\QNRauI.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 10.2.Payment confirmation .exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.2.Payment confirmation .exe.52e0000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 10.0.Payment confirmation .exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.0.Payment confirmation .exe.400000.10.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.0.Payment confirmation .exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.0.Payment confirmation .exe.400000.12.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.0.Payment confirmation .exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: Payment confirmation .exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Payment confirmation .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 146.70.76.43 ports 56281,1,2,5,6,8

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 37.120.210.211
Source: Malware configuration extractor	URLs: naki.airdns.org

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TENET-1ZA TENET-1ZA

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49761 -> 146.70.76.43:56281

Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677385911.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677536867.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677732929.0000000005409000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comM
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment confirmation .exe, 00000000.00000003.677558315.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677216510.0000000005403000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677385911.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677536867.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677732929.0000000005409000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comwit
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Payment confirmation .exe, 00000000.00000003.684072387.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment confirmation .exe, 00000000.00000003.679784035.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.679682374.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment confirmation .exe, 00000000.00000003.683286235.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683406802.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683351862.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment confirmation .exe, 00000000.00000003.683286235.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683351862.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmld
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment confirmation .exe, 00000000.00000003.680816196.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersIUy
Source: Payment confirmation .exe, 00000000.00000003.679938204.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.694073095.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.679784035.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersTUF
Source: Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersico
Source: Payment confirmation .exe, 00000000.00000003.694073095.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersnox
Source: Payment confirmation .exe, 00000000.00000003.683542352.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~
Source: Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~Ul
Source: Payment confirmation .exe, 00000000.00000002.729385777.0000000000A74000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.commfet
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.676069541.000000000542F000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment confirmation .exe, 00000000.00000003.687634241.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment confirmation .exe, 00000000.00000003.687703540.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687634241.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/~Rm
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/O
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/;
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/C
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/pt-b
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/z
Source: Payment confirmation .exe, 00000000.00000003.680816196.0000000005433000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: Payment confirmation .exe, 00000000.00000003.687529964.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687463634.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687617708.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687425665.000000000544C000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.p
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677972229.000000000542C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment confirmation .exe, 00000000.00000003.677944436.000000000542C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677972229.000000000542C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com.
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.como
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: naki.airdns.org

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a raw input device (often for capturing keystrokes)

Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.52d0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.62b4c9f.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.62b0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.29e4fc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.62b0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.62be8a4.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.943393198.00000000052D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment confirmation .exe

Uses 32bit PE files

Source: Payment confirmation .exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.52d0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.52d0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.62b4c9f.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.62b4c9f.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.62b0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.62b0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.29e4fc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.29e4fc0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.62b0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.62b0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.62be8a4.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.62be8a4.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.943393198.00000000052D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.943393198.00000000052D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_00082594	0_2_00082594
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_00A2C164	0_2_00A2C164
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_00A2E5A0	0_2_00A2E5A0
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_00A2E5B0	0_2_00A2E5B0
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_00A2FBE0	0_2_00A2FBE0
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07360EB6	0_2_07360EB6
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07360026	0_2_07360026
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 0_2_07360040	0_2_07360040
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 9_2_000C2594	9_2_000C2594
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_006A2594	10_2_006A2594
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_0108E471	10_2_0108E471
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_0108E480	10_2_0108E480
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_0108BBD4	10_2_0108BBD4
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_04F8F5F8	10_2_04F8F5F8
Source: C:\Users\user\Desktop\Payment confirmation .exe	Code function: 10_2_04F89788	10_2_04F89788

Sample file is different than original file name gathered from version info

Source: Payment confirmation .exe	Binary or memory string: OriginalFilename vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000003.697326569.000000000349E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe, 00000000.00000002.734838256.00000000071E0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs Payment confirmation .exe
Source: Payment confirmation .exe	Binary or memory string: OriginalFilename vs Payment confirmation .exe
Source: Payment confirmation .exe	Binary or memory string: OriginalFilename vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe, 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Payment confirmation .exe
Source: Payment confirmation .exe	Binary or memory string: OriginalFilenameOnDeserializingAttribu.exe2 vs Payment confirmation .exe

Source: Payment confirmation .exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QNRauI.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment confirmation .exe

File read: C:\Users\user\Desktop\Payment confirmation .exe

Source: unknown	Process created: C:\Users\user\Desktop\Payment confirmation .exe "C:\Users\user\Desktop\Payment confirmation .exe"
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process created: C:\Users\user\Desktop\Payment confirmation .exe C:\Users\user\Desktop\Payment confirmation .exe	Jump to behavior

Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\Payment confirmation .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5036:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3600:120:WilError_01
Source: C:\Users\user\Desktop\Payment confirmation .exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2616a878-9933-42e4-9fe0-3b57e29bc1f5}
Source: C:\Users\user\Desktop\Payment confirmation .exe	Mutant created: \Sessions\1\BaseNamedObjects\lresUOKKCheNReqlZnYyzR

Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Payment confirmation .exe, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: QNRauI.exe.0.dr, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Payment confirmation .exe.80000.0.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Payment confirmation .exe.80000.0.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.Payment confirmation .exe.c0000.3.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.Payment confirmation .exe.c0000.0.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.Payment confirmation .exe.c0000.1.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.Payment confirmation .exe.c0000.0.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.0.Payment confirmation .exe.c0000.2.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.5.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.9.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.11.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.1.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.13.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Payment confirmation .exe.6a0000.1.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Payment confirmation .exe.6a0000.0.unpack, Form1.cs	.Net Code: CALLCONV System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: Payment confirmation .exe, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: QNRauI.exe.0.dr, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 0.2.Payment confirmation .exe.80000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 0.0.Payment confirmation .exe.80000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 9.0.Payment confirmation .exe.c0000.3.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 9.0.Payment confirmation .exe.c0000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 9.0.Payment confirmation .exe.c0000.1.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 9.2.Payment confirmation .exe.c0000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 9.0.Payment confirmation .exe.c0000.2.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.5.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.9.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.11.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.1.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.13.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.2.Payment confirmation .exe.6a0000.1.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 10.0.Payment confirmation .exe.6a0000.0.unpack, Form1.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)

Source: initial sample	Static PE information: section name: .text entropy: 7.96359768292
Source: initial sample	Static PE information: section name: .text entropy: 7.96359768292

Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 10.2.Payment confirmation .exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 10.0.Payment confirmation .exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 10.0.Payment confirmation .exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: Payment confirmation .exe, 00000000.00000002.730307873.0000000002611000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Payment confirmation .exe, 00000000.00000002.730307873.0000000002611000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 7000	Thread sleep time: -39064s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 7024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4260	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe TID: 6760	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4870	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3864	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: threadDelayed 3782	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: threadDelayed 5112	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Window / User API: foregroundWindowGot 769	Jump to behavior

Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 39064	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Payment confirmation .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Payment confirmation .exe	Process token adjusted: Debug	Jump to behavior

Source: Payment confirmation .exe, 0000000A.00000002.940923801.0000000002E46000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.941005381.0000000002E96000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.941108443.0000000002ED0000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.939580012.0000000001440000.00000002.00020000.sdmp, Payment confirmation .exe, 0000000A.00000002.941061864.0000000002ECE000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.944136866.000000000615D000.00000004.00000010.sdmp, Payment confirmation .exe, 0000000A.00000002.944077289.000000000601D000.00000004.00000010.sdmp, Payment confirmation .exe, 0000000A.00000002.944022787.0000000005DDC000.00000004.00000010.sdmp, Payment confirmation .exe, 0000000A.00000002.939799082.00000000029FB000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.939992078.0000000002AE8000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: Payment confirmation .exe, 0000000A.00000002.939580012.0000000001440000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Payment confirmation .exe, 0000000A.00000002.939580012.0000000001440000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Payment confirmation .exe, 0000000A.00000002.940923801.0000000002E46000.00000004.00000001.sdmp, Payment confirmation .exe, 0000000A.00000002.939992078.0000000002AE8000.00000004.00000001.sdmp	Binary or memory string: Program Manager\|$
Source: Payment confirmation .exe, 0000000A.00000002.939580012.0000000001440000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: Payment confirmation .exe, 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Payment confirmation .exe, 0000000A.00000002.944294212.00000000062B0000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Name	Malicious	Antivirus Detection	Reputation
37.120.210.211	true	Avira URL Cloud: malware	unknown
naki.airdns.org	true	Avira URL Cloud: safe	unknown

ID:	551433
Product:	CloudBasic
Start time:	08:24:50
Start date:	12.01.2022
Sample:	Payment confirmation .exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	aa035026516778019f8b8bd0e224fc03
SHA1:	efae7e259b4581830c7e6bfeb94ed6dd25a54229
SHA256:	39c5635ea42d63fe84500b9760fbe56e0fd3243007700749609bca1cd8d9e5d4
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report Payment confirmation .exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment confirmation .exe.log	ASCII text, with CRLF line terminators	A9EFF9253CAF99EC8665E41D736DDAED	D95BB4ABC856D774DA4602A59DE252B4BF560530	DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	438CEF22F7B9AB115F27C9E03ED52A92	3E50A0EF10FB3EE05A1772B685114078755E461C	4DDC221F1F2DA6CD48D3117C60008429D9F2631F0BF7C5DF8927989ECBB05CCC
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qnk0ivh.iyj.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mevy52tz.tt5.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp	XML 1.0 document, ASCII text	B0A91C23E82AA9831131A946DC8882B2	6ACB72396925F2655F17259CB41980C1E77B5BBB	830508EBB4A30C675781AA7A61A4A3B41379B090CC472B86368AA906849E39B8
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	32D0AAE13696FF7F8AF33B2D22451028	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	SysEx File - Twister	6D4C80C6B89E030207C12FF4661B6118	7401D0D745A13BD2905E25C23E65421C382391A9	EBABE9E7478812E1D324E5F7D94EFA80B73BAB3E1A3CFC9E155047BC3858344F
C:\Users\user\AppData\Roaming\QNRauI.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	AA035026516778019F8B8BD0E224FC03	EFAE7E259B4581830C7E6BFEB94ED6DD25A54229	39C5635EA42D63FE84500B9760FBE56E0FD3243007700749609BCA1CD8D9E5D4
C:\Users\user\AppData\Roaming\QNRauI.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20220112\PowerShell_transcript.830021.GhMaXGHf.20220112082610.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	322C10DE7FC412A3E88EABCEB5DD0130	51593CE60CD26DD9EF22B0784C44CB381CE5D4A8	43AD0D4351316231CFCB26AC59E6F01839779EEFF38D961A10D251ACE4172D9B